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I  SUMMARY* 

How  can  the  user  of  an  automatic  theorem- pr over  respond  to  the 
failure  of  the  system  to  prove  a  given  theorem?  We  know  of  three 
conventional  responses:  (1)  modify  the  theorem-proving  program  itself, 
(2)  guide  the  machine  to  the  proof  by  interacting  with  a  proof-checker¬ 
like  facility,  and  (3)  guide  the  machine  to  the  proof  by  adding  to  its 
database  of  lemmas.  Alternative  (1)  can  be  easy,  but  it  may  result  in 
bugs  in  the  theorem-prover  and  therefore  requires  extreme  caution  and 
expertise  not  to  be  expected  of  every  user.  Even  if  an  error-free 
modification  is  made,  it  may  amount  to  the  assumption  of  what  was 
supposed  to  be  proved.  Alternative  (2)  is  safe  and  sound,  but  very 
tedious  and  it  does  not  improve  the  theorem-prover  for  the  next  occasion 
on  which  a  similar  proof  is  required.  Alternative  (3)  is  also  safe  and 
sound  if  the  theorem-prover  proves  the  lemmas  before  accepting  them. 

But  this  alternative,  too,  can  be  very  tedious,  or  even  hopeless,  if  the 
theorem-prover' s  heuristics  fail  to  use  the  new  lemmas  in  the  ways 
intended  by  the  user. 

In  this  paper  we  describe  and  justify  logically  an  implementation 
of  a  fourth  alternative.  We  have  Improved  the  theorem-prover  described 
in  A  Computational  Logic  [1]  so  that  one  of  the  alternatives  now 
available  to  the  user  is  to  modify  the  theorem-prover  by  adding 
executable  code.  This  code  can  cause  the  system  to  pursue  new 
strategies  and  apply  new  proof  techniques  under  arbitrary  heuristic 
control.  However,  to  ensure  the  soundness  of  the  resulting  theorem- 
prover,  each  purported  proof  technique  must  be  proved  correct  by  the 
theorem-prover  before  it  is  Incorporated  into  the  system. 


*  The  work  reported  here  was  supported  in  part  by  NSF  Grant  MCS-7904081 
and  ONR  Contract  N00014-75-C-0816. 
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To  extend  our  theorem-prover  by  adding  a  new  piece  of  code  the  user 
proceeds  as  follows* 

First,  the  user  conceives  some  transformation  from  terms  of  the 
theory  to  terms  of  the  theory  that  he  wishes  the  theorem-prover  would 
make. 

Second,  the  user  must  understand  a  correspondence  between  terms  of 
the  theory  and  certain  constants  of  the  theory.  This  correspondence  is 
simple  and  resembles  the  use  of  lists  and  atoms  to  represent  the 
expressions  of  LISP. 

Third,  the  user  must  define  a  new  function  In  the  logic  of  our 
system.  While  defining  this  function  the  user  can  think  of  himself  as 
implementing  the  term  transformation  that  he  desires.  He  writes  the 
function  so  that  if  his  desired  transformation  takes  a  term  t  to  a  term 
t',  then  his  function  maps  the  constant  corresponding  to  t  to  the 
constant  corresponding  to  t'.  (Because  our  language  is  related  to  that 
of  Pure  LISP,  it  will  often  not  be  difficult  for  the  user  to  define  his 
function  in  our  theory  if  he  can  define  it  in  Pure  LISP.  In  A 
Computational  Logic  (1],  we  present  many  examples  of  functions  that 
perform  simple  list  processing  operations  and  we  even  present  some 
functions  that  are  actually  simple  theorem-prover s. ) 

Fourth,  the  user  presents  the  definition  of  his  function  to  our 
theorem-prover.  The  theorem-prover  attempts  to  check  that  the 
definition  satisfies  our  principle  of  definition.  If  the  theorem-prover 
is  successful,  then  the  definition  is  admitted  and  the  user  is  assured 
that  there  does  exist  one  and  only  one  function  satisfying  his 
definition. 

Fifth,  if  the  definition  is  admitted,  the  user  asks  the  system  to 
prove  a  certain  "correctness"  theorem  about  the  new  function.  The 
correctness  theorem  will  be  described  informally  in  the  next  subsection. 

Finally,  if  the  correctness  theorem  is  proved,  the  system 
incorporates  into  its  simplifier  new  compiled  code,  derived  from  the 
function  definition,  that  operates  on  the  very  INTERLISP  data  structures 
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used  to  represent  terms  in  our  theorem-proving  program.  If  the  new  code 
is  applied  to  an  INTERLISP  object  that  represents  a  term  t,  the  result 
of  the  application  will  be  an  INTERLISP  object  that  represents  the  term 
into  which  the  user  wished  to  transform  t. 

Once  all  these  steps  have  been  completed ,  the  future  behavior  of 
the  theorem-prover  will  be  altered  as  follows.  At  a  certain  place  in 
our  theorem-prover 's  simplification  routine,  the  code  for  the  user's 
function  is  applied  to  the  representation  of  the  term  that  the  theorem- 
prover  is  currently  working  on.  The  theorem-prover  uses  the  output  of 
that  application  as  the  representation  of  the  new  current  term,  thereby 
fulfilling  the  user's  desire  to  transform  terms. 

In  this  paper  we  describe  (a)  the  correspondence  between  terms  and 
constants,  (b)  the  correctness  theorem  for  metafunctions,  and  (c)  the 
translation  from  user  definition  to  compiled  code.  We  establish  in  this 
paper  that  the  new  compiled  code  is  a  correct  simplifier.  We  illustrate 
all  the  ideas  discussed  with  a  metafunction  that  usefully  extends  our 
system  and  that  has  been  proved  correct.  We  also  discuss  the  difficulty 
of  proving  useful  metafunctions  correct.  Before  presenting  the  details, 
we  now  sketch  the  entire  paper  and  compare  our  work  to  that  of  others. 

A.  The  Correctness  Theorem 

Suppose  that  the  user  has  defined  his  function,  fn,  and  that  it  has 
been  accepted  under  our  principle  of  definition.  At  this  time,  there 
are  only  a  finite  number  of  function  symbols,  say  f^,  ...,  f  ,  about 
which  any  axioms  (e.g.,  definitions)  have  been  made. 

Before  formulating  the  correctness  theorem  for  fn,  we  first 
introduce  and  axiomatize  in  our  current  theory,  T,  two  functions,  FORMP 
and  MEANING,  which  take  one  and  two  arguments,  respectively.  We  assume, 
without  loss  of  generality,  that  the  symbols  FORMP  and  MEANING  are  not 
among  the  f^,  ...,  fm. 

The  precise  axioms  added  to  define  these  two  functions  are 
presented  later.  Intuitively,  the  axioms  about  FORMP  are  sufficient  to 
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derive  for  any  constant  c  whose  only  function  symbols  are  in  f^,  f 

whether  c  corresponds  to  some  term  in  the  theory  T.  Intuitively, 

MEANING  is  axiomatized  to  take  as  its  first  argument  a  constant 
corresponding  to  some  term  in  T  and  as  its  second  argument  an  assignment 
of  values  to  variables;  MEANING  returns  the  value  of  the  term  under  the 
assignment. 

For  example,  consider  the  term  (PLUS  X  Y).  The  constant 
corresponding  to  this  term  is 

(CONS  "PLUS"  (CONS  "X"  (CONS  "Y"  "NIL"))). 

MEANING  is  axiomatized  so  that  when  it  is  applied  to  this  constant  and 
to  the  assignment  that  assigns  5  to  "X"  and  6  to  "Y",  then  MEANING 
returns  11.  (As  will  be  explained,  "X"  is  an  abbreviation  for  a  certain 
constant  in  our  theory,  namely  (PACK  (CONS  88  0)).  88  happens  to  be  the 

ASCII  code  for  the  character  X.) 

The  correctness  theorem  for  the  metafunction  fn  is: 

(IMPLIES  (FORMP  X) 

(AND  (EQUAL  (MEANING  X  A) 

(MEANING  (fn  X)  A)) 

(FORMP  (fn  X)))). 

That  is,  for  all  X,  if  X  is  a  constant  corresponding  to  some  term,  then 
for  all  assignments  A,  the  MEANING  of  X  under  A  is  the  same  as  the 
MEANING  of  (fn  X)  under  A.  Furthermore,  (fn  X)  also  corresponds  to  some 
term. 

Suppose  that  the  theorem-prover  can  prove  the  correctness  theorem 
for  fn.  "So  what,"  the  reader  may  say,  "if  random  axioms  are  assumed, 
then  anything  can  be  proved.  How  do  I  know  that  the  axioms  about  FORMP 
and  MEANING  have  any  sense?  Furthermore,  even  if  they  are  sound,  why 
should  I  be  interested  in  a  theorem  that  is  a  consequence  of  those 
axioms?  In  particular,  how  does  your  correctness  theorem  let  me  use  fn 
as  a  proof  procedure?"  We  now  answer  these  questions  by  demonstrating 
how  fn  can  be  used  to  simplify  terms. 
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First,  let  us  delete  the  axioms  about  FORMP  and  MEANING  that  we 
added  to  the  theory  T  after  the  definition  of  fn.  Suppose  that  sometime 
later,  perhaps  even  after  adding  some  new  function  definitions  ior  even 
some  other  kinds  of  axioms) ,  the  user  wishes  some  term  p  to  be  replaced 
by  its  transform.  Let  fp  ...,  f^  be  the  sequence  of  function  symbols 
about  which  there  are  now  axioms.  Of  course,  all  of  the  function 

symbols  occurring  in  the  term  p  will  be  among  the  f^ . fp.  Let  us 

now  define  the  functions  MEANING  and  FOEMP  in  such  a  way  that  the  axioms 
that  were  previously  added  will  be  true.  In  our  definition  of  MEANING, 
we  shall  adopt  an  entirely  arbitrary  position  about  the  meaning  of 

constants  that  contain  function  symbols  other  than  f^ . fp.  We 

shall  define  FORMP  so  that  it  is  false  on  constants  not  corresponding  to 
terms  of  the  current  theory. 


Because  FORMP  and  MEANING  are  defined  to  satisfy  the  axioms  we  had 
previously  added,  there  exists  a  proof  of  the  correctness  theorem  for  fn 
in  our  current  theory. 


Now  suppose  that  c  is  the  constant  of  the  theory  that  corresponds 
to  p.  Since  the  definition  of  fn  was  accepted  under  our  principle  of 
definition,  there  exists  a  constant  d  such  that 


(EQUAL  (fn  c)  d) 

is  a  theorem.  Since  c  corresponds  to  p,  c  satisfies  FORMP.  By  the 
correctness  theorem  for  fn,  d  will  satisfy  FORMP  and  will  in  fact  be  the 
constant  corresponding  to  some  term  q.  Furthermore,  by  the  correctness 
theorem  for  fn,  it  will  be  a  theorem  that: 

(EQUAL  (MEANING  c  A) 

(MEANING  d  A)). 


Finally,  it  can  be  shown  that  there  will  exist  a  trivial  assignment 
a  such  that 

(EQUAL  (MEANING  c  a)  p) 
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and 


(EQUAL  (MEANING  d  a)  q)) 

are  both  theorems.  To  see  that  there  always  exists  such  a  trivial 
assignment  a,  consider  this  example:  let  p  be  the  term  (PLUS  X  Y)  and 
let  c  be  corresponding  constant 

(CONS  "PLUS"  (CONS  "X"  (CONS  "Y"  "NIL"))); 

then  for  the  assignment  a 

(CONS  (CONS  "X"  X) 

(CONS  (CONS  "Y"  Y) 

"NIL")) 

it  is  the  case  that  (EQUAL  (MEANING  c  a)  p). 

Since  the  user's  definition  of  fn  transforms  c  into  d,  it  is 
understood  that  the  user  wishes  the  theorem-prover  to  transform  p  into 
q.  But  we  have  proved  that  p  =  (MEANING  c  a)  =  (MEANING  d  a)  =  q. 
Hence,  there  is  a  proof  that  p  is  equal  to  q,  and  the  theorem-prover  is 
justified  in  replacing  p  with  q. 

B.  The  Implementation 

In  the  preceding  section  we  demonstrated  how  the  proof  of  the 
correctness  theorem  for  a  function  fn  could  be  used  to  justify  the 
transformation  of  some  term  p  into  another  term  q.  It  is  not  necessary 
to  repeat  the  proof  that  such  transformations  are  legal  every  time  we 
make  such  a  transformation.  However,  to  take  advantage  of  the 
metatheorem,  we  want  our  theorem-prover  to  obtain  q  from  p  efficiently. 
Specifically,  we  would  like  to  obtain  p  from  p  with  approximately  the 
same  speed  that  we  could  obtain  q  from  p  if  we  had  hand-coded  an 
INTERLISP  function  analogous  to  fn  instead  of  introducing  fn  into  our 
theory.  There  were  three  steps  in  computing  q  from  p.  The  first  step 
was  finding  the  constant  c  corresponding  to  p.  The  second  step  was 
finding  the  constant  d  such  that  (EQUAL  (fn  c)  d) .  And  the  final  step 
was  finding  the  term  q  to  which  d  corresponded. 
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In  our  implementation  of  metafunctions  we  have  arranged  for  the 
first  and  third  steps  to  be  exceedingly  efficient:  in  fact,  they 
literally  take  no  time  at  all.  The  trick  we  use  is  to  arrange  our 
INTERLISP  representation  of  terms  so  that  if  obj  is  an  INTERLISP  object 
representing  a  term  t,  then  the  INTERLISP  list  of  length  two  whose  first 
member  is  the  atom  QUOTE  and  whose  second  member  is  obj  represents  the 
constant  corresponding  to  t. 

Thus,  if  obj  is  an  INTERLISP  object  we  use  to  represent  the  term 
(PLUS  X  Y),  then  the  INTERLISP  object  constructed  by  consing  QUOTE  onto 
obj  onto  NIL  (in  INTERLISP)  is  an  object  representing 

(CONS  "PLUS"  (CONS  "X"  (CONS  "Y"  "NIL"))). 

Thus,  should  we  have  a  representation  of  p  and  desire  to  represent  c,  we 
embed  the  representation  of  p  in  a  QUOTE.  On  the  other  side,  should  we 
have  a  representation  of  d  and  desire  to  obtain  a  representation  of  q, 
we  take  the  cadr  (i.e.,  car  of  the  cdr)  of  the  representation  of  d.  It 
will  turn  out  that  we  never  actually  have  to  represent  c  and  d  in  going 
from  p  to  q,  but  it  is  the  term  representation  above  that  makes  it 
possible.  We  will  prove  that  if  obj  represents  the  term  t  then  the 
result  of  embedding  obj  in  a  QUOTE  represents  a  term  whose  MEANING  under 
an  appropriate  assignment  is  t.  The  proof  is  complicated  mainly  by  the 
limitations  and  restrictions  imposed  by  efficiency  considerations  and 
INTERLISP  (or  any  other  teal  implementation  language). 

Now  suppose  we  have  the  above  representation  of  c.  How  can  we 
obtain  d  quickly?  Recall  that  d  is  the  constant  equal  to  (fn  c).  When 
a  function  is  accepted  under  our  definition  principle  our  system 
compiles  an  INTERLISP  routine  whose  body  is  analogous  to  the  definition. 
For  example,  when  the  function  APPEND  is  introduced  with  the  definition: 

Definition . 

(APPEND  X  Y) 

SC 

(IF  (LISTP  X) 

(CONS  (CAR  X)  (APPEND  (CDR  X)  Y)) 

Y). 
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the  system  generates  and  compiles  the  INTERLISP  routine  1APPEND: 


( 1APPEND  (LAMBDA  (X  Y) 

(COND  ((AND  (LISTP  X)  (NEQ  (CAR  X)  1SQM)) 

(CONS  (CAR  X)  (1 APPEND  (CDR  X)  Y))) 

(T  Y)))). 

The  relationship  between  the  mathematical  function  APPEND  and  the 
INTERLISP  routine  1APPEND  is  then  as  follows.  If  obj^  and  obj2  are 
INTERLISP  objects  that,  when  embedded  in  QUOTEs,  represent  the  constants 
c^  and  C2  in  the  theory,  then  the  INTERLISP  object  computed  by  (1APPEND 
obj^  ob j 2 ) ,  when  embedded  in  a  QUOTE,  represents  a  constant  term  d  such 
that  (EQUAL  (APPEND  c^  C2)  d)  is  a  theorem. 

Thus,  if  fn  has  been  accepted  by  the  principle  of  definition  the 
INTERLISP  routine  lfn  has  "also  been  introduced.  Suppose  that  after  we 
have  proved  the  correctness  theorem  for  fn  we  desire  to  use  fn  to 
transform  p  to  q.  Suppose  objc  represents  p.  Let  objc'  be  the  result 
of  embedding  objc  in  a  QUOTE.  Then  objc'  represents  c.  Let  objd'  be 
the  result  of  embedding  in  a  QUOTE  the  result  of  executing  lfn  on  the 
cadr  of  objc'.  Then  objd'  represents  d.  Let  objd  be  the  cadr  of  objd'. 
Then  objd  represents  q.  By  the  metatheorem,  p  and  q  are  provably  equal, 
so  we  may  substitute  objd  for  objc  in  the  representation  of  the 
conjecture  being  proved.  But  if  x'  is  the  result  of  embedding  x  in  a 
QUOTE,  the  cadr  of  x'  is  x.  Thus,  the  above  scenario  is  equivalent  to 
applying  lfn  to  objc  (the  representation  of  p)  to  obtain  objd  (the 
representation  of  q)  . 

C.  A  Useful  Metafunction 

We  have  used  metafunctions  to  improve  the  power  of  the  theorem- 
prover  described  in  A  Comput ational  LoRic .  That  theorem-prover  was 
powerful  enough  to  prove  its  way  from  the  Peano-like  axioms  for  the 
natural  numbers  and  sequences  to  the  existence  and  uniqueness  of  prime 
factorizations  without  any  built-in  arithmetic  procedures  or  heuristics. 
However,  it  could  not  cancel  an  addend  occurring  arbitrarily  deeply  on 
both  sides  of  an  equation.  The  reason  was  that  it  was  not  possible  to 
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state  any  useful  lemma  describing  a  schematic  transformation.  After 
implementing  metatheoretic  extensibility  as  described,  we  used  it  to  add 
schematic  cancellation. 


The  metafunction  CANCEL  was  defined  so  that  when  given  the  symbolic 
expression  representing  the  equation: 

(EQUAL  (PLUS  B  (PLUS  C  (PLUS  IX))) 

(PLUS  (PLUS  A  (PLUS  I  J))  (PLUS  K  X))) 

CANCEL  produces  the  symbolic  expression  for 

(EQUAL  (PLUS  B  C) 

(PLUS  A  (PLUS  J  K))). 

CANCEL  works  by  computing  the  fringe  of  the  two  PLUS-trees  on  each  side 
of  the  symbolic  equation,  intersecting  the  fringes  with  the  "bag" 
intersect  function,  subtracting  the  bag  of  common  addends  from  each 
fringe,  and  then  reconstituting  the  modified  fringes  into  right- 
associated  PLUS-trees  in  a  new  symbolic  equation.  However,  to  be 
correct  CANCEL  must  take  into  account  the  typeless  syntax  of  our  theory. 
Thus,  when  given 

(EQUAL  A  (TLUS  A  B)) 
it  returns 

(IF  (NUMBERP  A) 

(EQUAL  0  (FIX  B)) 

(FALSE)). 

Furthermore,  it  does  not  bother  to  construct  this  expression  if  one 
side  of  the  equation  is  not  an  element  of  the  fringe  of  the  other 
because  it  would  be  a  heuristic  mistake. 

CANCEL  is  fairly  complicated.  In  all,  its  definition  (together 
with  those  of  its  subfunctions)  requires  100  lines  of  "prettyprinted" 
text.  In  this  paper  we  carefully  describe  the  cancellation  function  and 
the  proof  of  its  correctness.  The  proof  is  constructed  by  our  theorem- 
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prover  from  the  axioms  of  Peano  integers,  atoms,  and  ordered  pairs, 
without  any  built-in  knowledge  of  arithmetic.  We  also  explain  the 
INTERLISP  code  generated  for  the  function  and  explain  how  it  is 
integrated  into  our  automatic  theorem-prover •  The  incorporation  of  this 
new  proof  procedure,  which  was  mathematically  defined  and  mechanically 
proved  correct,  increases  the  power  of  the  system  without  noticeably 
affecting  its  speed. 

D.  Related  Research 

We  now  compare  our  approach  to  extensibility  with  recent  work  by 
others  on  the  same  subject.  The  basic  premise  of  all  work  on  extensible 
theorem-provers  is  that  it  should  be  possible  to  add  new  proof 
techniques  to  a  system  without  endangering  the  soundness  of  the  system. 
It  seems  possible  to  divide  current  work  into  two  broad  camps.  In  the 
first  camp  are  those  systems  that  allow  the  Introduction  of  arbitrary 
new  procedures,  coded  in  the  implementation  language,  but  require  that 
each  application  of  such  a  procedure  produce  a  formal  proof  of  the 
correctness  of  the  transformation  performed.  In  the  second  camp  are 
those  systems  that  contain  a  formal  notion  of  what  it  means  for  a  proof 
technique  to  be  sound  and  require  a  machine-checked  proof  of  the 
soundness  of  each  new  proof  technique.  Once  proved,  the  new  proof 
technique  can  be  used  without  further  justification.  Our  system  is  in 
the  second  camp. 

The  LCF  system,  described  by  Milner  et  al.  [5],  is  an  example  of  a 
system  in  the  first  camp.  The  LCF  metalanguage  is  a  programming 
language  that  provides  the  data  type  "theorem."  "Theorems"  can  be 
produced  only  by  the  basic  rules  of  inference,  which  are  implemented  as 
procedures.  The  user  can  define  new  rules  of  inference  as  procedures 
that  produce  theorems  by  calling  lower-level  procedures  under  the 
control  of  arbitrary  heuristics.  The  new  rules  of  inference  are  sound 
(when  they  do  not  cause  run-time  errors)  since  the  result  produced  by 
any  given  application  must  in  fact  have  been  produced  by  a  correct 
sequence  of  applications  of  the  lowest-level  rules  of  inference. 
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Brown,  in  [3],  proposes  another  system  in  the  first  camp.  He 
suggests  that  each  new  proof  procedure  be  coded  in  some  conventional 
implementation  language  (e.g.,  LISP  or  machine  code)  but  have  an 
auxiliary  procedure  capable  of  producing  a  formal  Justification  of  any 
given  application*  To  illustrate  the  idea,  he  exhibits  a  LISP  progr« 
to  find  and  cancel  a  single  common  addend  on  each  side  of  an  equation* 

As  one  example  justification  he  suggests  the  proof  procedure  that 
derives  the  output  from  the  input  using  only  the  associative, 
commutative,  and  cancellation  laws  for  PLUS.* 

In  essence  systems  from  the  first  camp  are  extensible  because  they 
provide  a  facility  whereby  the  user  can  define  succinct  abbreviations 
tnat  may  be  mechanically  translated  into  long  sequences  of  proof  steps. 
The  advantage  such  systems  have  over  those  of  the  second  camp  is  that 
new  proof  procedures  can  be  used  without  having  to  prove  them  correct. 
The  primary  disadvantage  we  see  is  one  of  efficiency:  no  matter  how 
elaborate  one's  new  rules  of  inference  are,  the  system  must  plod  through 
proofs  at  the  lowest  level. 

Weyhrauch's  work  on  FOL  {7)  exemplifies  the  second  camp.  He  has 
implemented  in  FOL  a  system  in  which  the  formulas  of  one  theory  are  the 
objects  in  another.  In  the  upper  theory  he  formalizes  the  syntax  and 
rules  of  inference  of  the  lower  theory.  To  prove  that  a  function  in  the 
upper  theory  is  a  sound  simplifier  for  the  lower  theory  one  must  prove 
in  the  upper  theory  that  there  exists  a  proof  in  the  lower  theory  of  the 
equality  of  the  input  and  output.  To  apply  such  a  metafunction  to  a 
formula  during  a  proof  at  the  lower  level,  Weyhrauch  "reflects"  the 
formula  into  a  constant  at  the  upper  level,  symbolically  applies  the 
metafunction  to  that  constant,  and  then  reflects  the  result  back  down. 

To  make  the  process  more  efficient,  Weyhrauch  provides  the  perilous  act 


As  a  second  justification  Brown  uses  a  meaning  function,  virtually 
identical  to  ours  and  described  earlier  by  Brown  in  [2],  tc  express  the 
schematic  cancellation  law.  However,  he  does  not  express  the  law  in  a 
way  that  permits  its  mechanical  application.  In  fact,  he  says  that  all 
of  his  mathematical  justification  procedures  are  sufficiently 
inefficient  that  they  should  be  run  to  obtain  a  formal  proof  only  when  a 
step  of  the  Informal  proof  is  "challenged." 
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of  "semantic  attachment"  by  which  the  user  can  associate  programming 
entitles  (data  structures  and  procedures)  with  logical  entitles 
(formulas  and  functions).  Of  course,  perilous  acts,  while  perfectly 
legitimate  In  the  hands  of  a  careful  Implementor,  are  to  be  considered 
illegal  in  the  hands  of  careless  users.  Using  semantic  attachment, 
Weyhrauch  arranges  for  the  programming  objects  that  represent  formulas 
at  one  level  to  represent  objects  at  the  other.  He  can  also  arrange  for 
certain  built-in  metafunctions  (namely,  those  corresponding  to  the  proof 
procedures  in  his  system)  to  be  executed  very  efficiently  (as  calls  to 
the  appropriate  procedures). 

Another  example  of  the  second  camp  was  proposed  by  Davis  and 
Schwartz  in  [4].  Like  Weyhrauch  they  propose  to  embed  formally  the 
rules  of  inference  of  their  logic  in  the  logic.  Unlike  Weyhrauch  they 
do  not  introduce  a  new  "metatheory"  but  rather  embed  the  rules  of 
inference  in  a  decidable  subtheory.  Like  us,  they  then  provide  a 
MEANING-like  function  to  map  from  formulas  in  the  logic  to  constants. 
They  propose  to  prove  the  correctness  of  "metafunctions"  by  proving  that 
there  exists  a  constant  that  is  a  "proof"  of  the  equivalence  of  the 
input  and  output  of  the  function. 

Of  course,  while  the  second  camp  has  only  in  the  last  few  years 
begun  to  attract  the  attention  of  researchers  in  automatic  theorem- 
proving,  Godel  lit  the  campfire  in  1931  when  he  showed  that  one  can 
define  functions  thai  are  proof-checkers  for  the  theory  containing  them. 

We  can  thus  summarize  the  relationship  between  our  work  and  that  of 
others  as  follows.  Our  work  is  different  from  that  of  Milner  et 
al •  [3]  and  Brown  [3]  primarily  because  we  are  in  the  second  camp. 

Our  theoretical  approach  is  different  from  Weyhrauch's  17)  and  Davis 
and  Schwartz's  [4]  because  we  avoid  the  complexity  of  embedding  the 
rules  of  inference  of  our  logic  in  our  logic  and  (unlike  Weyhrauch)  do 
not  have  to  formalize  the  notion  that  one  theory  is  the  metatheory  of 
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another.*  Our  implementation  is  different  from  any  reported 
implementation  of  metatheoretic  extensibility  because  we  show  how  the 
user  can  achieve  efficiency  comparable  to  hand-coded  procedures  in  the 
implementation  language  without  availing  himself  of  perilous  acts. 

E.  The  Key  Problem:  Theorem-Proving 

Once  the  theoretical  Justification  and  practical  implementation  of 
metatheoretic  extensibility  is  completed,  the  researcher  must  confront 
the  fundamental  problem  for  those  in  the  second  camp:  proving  the 
correctness  of  new  metafunctions  with  a  mechanical  theorem-prover •  If 
it  is  not  practical  to  prove  the  correctness  of  .tew  procedures  with  the 
tools  provided,  then  --  depending  on  whether  users  can  add  new  axioms  — 
the  extensibility  is  either  unusable  or  unsafe  because  users  will  add 
axioms  stating  the  correctness  of  new  procedures.  The  latter  is  little 
better  than  the  ad  hoc  approach  of  alternative  (1),  i.e.,  the  arbitrary 
hand-recoding  of  the  theorem-prover. 

We  did  not  begin  to  consider  seriously  the  incorporation  of 
metafunctions  until  we  had  some  evidence  that  our  system  could  prove  the 
correctness  of  metafunctions  that  would  actually  Improve  the  system. 

The  evidence  cone  in  September,  1978,  when  we  had  the  system  prove  that 
CANCEL  preserved  MEANING  (even  though  at  that  time  the  system  could  not 
employ  that  result  met atheoret ic ally ) . 

The  proof  of  the  correctness  theorem  for  the  cancellation  function 
did  provide  an  Interesting  exercise  for  our  theorem-prover.  However, 
the  number  and  difficulty  of  the  intermediate  lemmas  that  we  formulated 
and  the  theorem-prover  proved  on  the  way  to  the  main  correctness  theorem 
were  less  than  the  number  and  difficulty  of  the  lemmas  used  in  our  proof 
of  the  correctness  of  a  tautology-checker  in  Chapter  IV  of 
A  Computational  Logic.  To  formulate  the  lemmas  and  get  the  theoreie- 


In  defense  of  Weyhrauch's  logical  machinery  it  must  be  observed  that 
his  goal  is  the  study  of  formal  theories  of  reasoning  --  in  which 
metatheoretic  reasoning  plays  a  crucial  role  —  while  ours  is  the  much 
less  ambitious  one  of  getting  permission  to  apply  user-supplied  proof 
procedures. 
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prover  to  prove  the  correctness  theorem  took  one  of  the  authors  less 
than  a  day  from  the  time  the  exercise  was  conceived.  The  earliest  proof 
attempt  found  a  bug  in  CANCEL:  it  cancelled  multiple  occurrences  of  an 
addend  on  one  side  against  one  occurrence  on  the  other,  due  to  the  use 
of  "list  difference"  rather  than  "bag  difference."  Because  of  the  small 
amount  of  user  effort  necessary  to  introduce  a  correct  cancellation 
procedure  we  are  optimistic  that  our  approach  to  extensibility  may  be 
feasible. 

However,  we  conclude  with  three  observations. 

First,  no  implementation  of  metatheoretic  extensibility  will  be 
feasible  unless  the  mechanical  theorem-prover  can  prove  theorems  about 
inductively  defined  concepts  such  as  terms,  formulas,  and  their 
meanings . 

Second,  it  is  interesting  to  ask  whether  a  sound  and  practical 
approach  to  metatheoretic  extensibility  can  be  based  on  a  simpler 
theorem-prover  than  ours.  We  suspect  that  it  might  take  weeks  to  prove 
the  correctness  of  a  useful  metafunction,  such  as  our  cancellation 
function,  if  one  used  a  simple  proof-checker. 

Third,  some  theorem-prover  researchers  who,  like  us,  are  in  the 
business  of  building  theorem-provers  to  be  used  by  a  large  community  of 
users,  may  regard  the  provision  for  user  extensibility  (via  either  camp) 
to  be  an  adequate  response  to  the  constant  appeals  from  users  to  improve 
the  power  of  the  system.  After  all,  extensibility  gives  the  user  the 
ability  to  tailor  the  system  to  his  needs.  But  we  do  not  see 
extensibility  as  a  panacea  for  the  current  lack  of  theorem-proving 
power.  It  is  a  solution  to  a  relatively  simple  problem:  how  to  obtain 
insurance  against  unsoundness.  The  truly  hard  intellectual  problem 
remains:  the  discovery  of  harmoniously  cooperating  heuristics  for 
marshalling  a  very  large  number  of  facts  and  constructing  difficult 
proofs . 
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F.  Organization  of  this  Paper 

The  structure  of  our  presentation  Is  as  follows.  In  Section  II 
we  Illustrate  the  Introduction  and  use  of  a  metafunction  after  briefly 
reviewing  our  formal  logic  as  It  was  presented  in  [1].  In  Section 

III  we  describe  certain  minor  revisions  made  to  the  logic  described  in 
[1]  to  undertake  the  meta- approach  conveniently,  and  we  present  some 
formal  nomeclature  used  in  the  proof  of  the  Metatheorem.  In  Section 

IV  we  state  and  prove  the  Metatheorem,  which  establishes  that 
metafunctions  can  be  applied.  In  Section  V  we  outline  our  INTERLISP 
implementation  of  metafunctions  in  our  theorem-proving  program.  In 
Section  VI  we  describe  the  representation  of  terms  in  our  theorem- 
proving  program  and  in  Section  VII  we  prove  some  lemmas  used  in  the 
demonstration  that  we  have  correctly  implemented  the  Metatheorem.  In 
Section  VIII  we  explain  how  we  translate  user-defined  functions  into 
efficient  INTERLISP  procedures.  In  Section  IX  we  describe  the 
mechanical  proof  of  the  correctness  of  the  example  metafunction 
described  in  Section  II  and  we  comment  on  the  difficulty  of  such 
proofs.  In  Section  X  we  describe  details  of  the  implementation  of 
metafunctions  and  give  some  output  generated  by  our  theorem-prover  while 
using  a  metafunction. 
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II  AN  EXAMPLE 


In  this  section  we  illustrate  the  use  of  metafunctions  by  writing 
in  our  logic  a  recursive  function  for  cancelling  all  common  addends  on 
opposite  sides  of  an  equation.  Our  example  is  similar  to  but  more 
elaborate  than  the  one  used  by  Brown  in  [3]. 

A.  A  Sketch  of  Our  Formal  Theory* 

A  term  is  either  a  variable  symbol  (which  we  define  precisely  in 
Section  III),  or  else  it  is  a  sequence  consisting  of  a  function  symbol 
of  n  arguments,  followed  by  n  terms.  We  use  the  prefix  syntax  of  Church 
to  write  down  terms.  For  example,  if  PLUS  is  a  function  symbol  of  two 
arguments,  we  write  (PLUS  X  Y)  where  others  might  write  PLUS(X,Y)  or 
X+Y. 

Our  theory  is  obtained  by  starting  with  the  axioms  and  rules  of 
inference  of  propositional  calculus  with  equality  and  function  symbols 
(including  the  rule  of  inference  that  any  Instance  of  a  theorem  is  a 
theorem)  and  adding  (a)  axioms  for  certain  basic  function  symbols,  (b)  a 
rule  of  inference  permitting  proof  by  induction,  (c)  a  principle  of 
definition  permitting  the  introduction  of  total  recursive  functions,  and 
(d)  the  "shell  principle,"  permitting  the  introduction  of  axioms 
specifying  "new"  types  of  inductively  defined  objects. 

The  basic  function  symbols  are  TRUE,  FALSE,  IF  and  EQUAL.  The 
first  two  are  function  symbols  of  no  arguments  and  may  be  thought  of  as 
distinct  truth  values  IF  is  a  function  symbol  of  three  arguments  and 
is  axiomatized  so  that  (IF  X  Y  Z)  -  Z  if  X  -  (FALSE)  and  (IF  X  Y  Z)  -  Y 
if  X  y  (FALSE).  EQUAL  is  a  function  symbol  of  two  arguments  and 
axlomatl zed  so  that  if  X  -  Y,  (EQUAL  X  Y)  -  (TRUE),  and  if  X  4  Y,  (EQUAL 


Our  formal  theory  is  described  in  detail  in  Chapter  III  of 
A  Computational  Logic. 
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X  Y)  -  (FALSE).  (The  sign  used  here  is  the  usual  equality 
predicate • ) 

In  our  logic,  terms  also  play  a  role  similar  to  the  one  that 
formulas  play  in  predicate  calculus.  For  example,  by  an  abuse  of  the 
word  "theorem"  (which  is  usually  only  applied  to  formulas),  when  we  say 
(EQUAL  XX)  is  a  theorem  we  mean  (EQUAL  X  X)  ^  (FALSE)  is  a  theorem. 
Using  IF  we  define  the  function  NOT,  of  one  argument,  that  returns 
(TRUE)  if  its  argument  is  (FALSE)  and  returns  (FALSE)  otherwise.  We 
similarly  define  the  dyadic  functions  AND,  OR,  and  IMPLIES. 

Our  principle  of  induction  is  based  on  the  notion  of  well-founded 
relations  (i.e.,  relations  for  which  there  exist  no  infinite  sequence  of 
successively  smaller  objects).  Suppose  r  is  a  well-founded  relation  and 
that  the  measure  m  of  (d  X)  is  r-smaller  than  m  of  X  when  X  has  property 
q.  Then  the  induction  principle  permits  one  to  prove  (p  X  Y)  by  proving 
two  other  conjectures.  The  first,  called  the  "base  case,"  is  that  (p  X 
Y)  is  true  when  X  does  not  have  property  q.  The  second,  called  the 
"induction  step,"  is  that  (p  X  Y)  is  true  when  X  has  property  q  and  (p 
(d  X)  a)  is  true. 

Our  principle  of  definition  provides  the  ability  to  introduce  new 
recursive  function  definitions,  provided  certain  theorems  can  be  proved 
beforehand.  The  theorems  require  the  exhibition  of  a  measure  and  well- 
founded  relation  under  which  the  arguments  to  recursive  calls  are 
getting  smaller.  Such  theorems,  together  with  some  trivial  syntactic 
requirements,  are  sufficient  to  guarantee  the  existence  and  uniqueness 
of  a  function  satisfying  the  defining  equation. 

Finally,  the  "shell  principle"  provides  a  means  for  introducing 
"new"  types  of  inductively  defined  objects  that  may  be  thought  of  as 
typed  n-tuples  with  type  restrictions  on  the  components.  The  shell 
principle  allows  the  user  of  the  theorem-prover  to  characterize  the 
desired  objects  by  specifying  n,  the  type  restrictions,  and  (new)  names 
for  the  primitive  functions  on  the  new  type.  Provided  certain  trivial 
syntactic  requirements  are  met,  the  shell  principle  adds  to  the  theory  a 
set  of  axioms  describing  the  new  type.  Using  the  shell  principle  we 
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introduce  three  sets  of  objects  into  the  initial  version  of  the  theory 
These  initial  shells  are: 


*  The  Peano  integers,  with  recognizer  NUMBERP,  bottom  object 
(ZERO),  constructor  ADD1  of  one  argument  which  must  be  a 
NUMBERP  or  else  defaults  to  (ZERO),  accessor  SUB1,  and 
well-founded  relation  SUB1P. 

*  The  "literal  atoms,"  with  recognizer  LITATOM,  bottom  object 
(NIL),  constructor  function  PACK  of  one  argument  of 
arbitrary  type,  accessor  UNPACK  (which  returns  (ZERO)  on 
non-LITATOMs) ,  and  well-founded  relation  UNPACKP. 

*  The  "ordered  pairs"  or  "lists,"  with  recognizer  L1STP,  no 
bottom  object,  constructor  function  CONS  of  two  arguments 
of  arbitrary  type,  accessors  CAR  and  CDR  (which  default  to 
(NIL)  on  non-LISTPs)  and  well-founded  relation  CAR/CDRP. 

The  "recognizer"  function  is  axiomatized  to  return  (TRUE)  or 
(FALSE)  according  to  whether  its  argument  is  a  member  of  the  new  type. 
The  optional  "bottom  object"  function  of  no  arguments  represents  an 
"empty"  object  of  the  new  type.  The  "constructor"  function  takes  n 
arguments  and  has  as  its  value  an  n-tuple  of  the  new  type.  If  the  ith 
argument  position  has  a  "type  restriction"  that  is  not  satisfied  by  the 
ith  argument,  the  argument  is  "coerced"  into  the  right  type  by  being 
replaced  by  a  "default  value."  The  "type  restriction"  either  requires 
that  the  argument  be  of  one  of  a  finite  number  of  types  or  requires  that 
the  argument  not  be  of  one  of  a  finite  number  of  types.  The  ith 
"accessor"  function  is  axiomatized  so  that  when  applied  to  an  n-tuple  of 
the  new  type  it  returns  the  ith  component.  When  applied  to  an  object 
other  than  a  tuple  of  the  new  type,  the  ith  accessor  returns  the  ith 
default  value.  Finally,  the  "well-founded  relation"  is  axiomatized  so 
that  the  components  of  an  n-tuple  are  smaller  than  the  tuple. 

We  complete  the  initial  development  of  the  theory  by  introducing 
the  well-founded  relation  and  the  measure  function  that  are  most 
commonly  used  in  our  theory:  the  "less  than"  relation  on  the  Peano 
integers  and  the  "size"  of  a  shell  object.  The  "less  than"  relation  is 
introduced  as  the  recursively  defined  function  LESSP,  which  returns 
(TRUE)  if  its  first  argument  is  less  than  its  second,  and  (FALSE) 
otherwise.  LESSP  treats  any  nonnuraeric  argument  as  though  it  were 
(ZERO). 
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The  "size"  of  an  object  is  computed  by  the  function  COUNT,  which  is 
defined  to  be  (ZERO)  on  bottom  objects  and  nonshells  and  one  plus  the 
sum  of  the  sizes  of  the  components  on  n-tuples. 

The  function  PLUS  is  defined  to  compute  the  sum  of  its  two 
arguments.  Our  theory  does  not  provide  a  "typed"  syntax.  Thus  terms 
such  as  (PLUS  (TRUE)  (TRUE))  are  well  formed.  Our  definition  of  PLUS 
"coerces"  nonintegers  to  (ZERO).  In  particular,  we  define  PLUS  with  the 
equation: 

Definition. 

(PLUS  X  Y) 

(IF  (ZEROP  X) 

(FIX  Y) 

(ADD1  (PLUS  (SUB1  X)  Y))), 

where  (ZEROP  X)  is  defined  to  be  (TRUE)  when  X  is  (ZERO)  or  not  a 
number,  and  (FALSE)  when  X  is  a  non-(ZERO)  number;  (FIX  Y)  is  defined  to 
be  Y  if  Y  is  a  number  and  (ZERO)  otherwise. 

That  completes  our  brief  sketch  of  the  theory. 

B.  Abbreviations 

It  is  convenient  to  be  able  to  write  down  certain  terms  succinctly. 
In  [1]  we  introduce  certain  abbreviations,  such  as  using  (AND  P  Q  R)  as 
an  abbreviation  of  (AND  P  (AND  Q  R)),  using  3  as  an  abbreviation  of 
(ADD1  (ADD  1  (ADDl  (ZERO)))),  and  using  (CADDR  X)  as  an  abbreviation  of 
(CAR  (CDR  (CDR  X))). 

In  this  paper  we  modify  one  of  our  conventions  and  introduce  two 
new  ones. 

We  modify  the  convention  in  [1]  under  which  expressions  such  as 
"X"  and  "PLUS"  were  abbreviations  for  certain  LITATOM  constants.  We 
continue  to  use  quotation  marks  to  abbreviate  LITATOMs,  but  we  change 
the  encoding.  That  is,  we  here  adopt  a  new  convention  under  which  "X" 
is  an  abbreviation  for  a  LITATOM,  but  for  a  different  LITATOM  than 
specified  in  [1].  Our  new  encoding  (which  makes  it  easier  to  implement 


20 


metafunctions  efficiently)  is  as  follows.  Suppose  wrd  is  a  sequence  of 
ASCII  characters  Cj,  cn  satisfying  the  definition  of  a  "symbol" 

(see  Section  III).  Suppose  the  ASCII  character  codes  for  . . cr 

are  the  integers  i^,  ...,  in«  Then  "wrd"  is  an  abbreviation  of 

(PACK  (CONS  i  1  (CONS  i2  •••  (CONS  i  0)  ...))). 

Thus,  "NIL"  is  an  abbreviation  of 

(PACK  (CONS  78  (CONS  73  (CONS  76  0)))), 

and  "QUOTE"  is  an  abbreviation  of 

(PACK  (CONS  81  (CONS  85  (CONS  79  (CONS  84  (CONS  69  0)))))). 

One  of  the  axioms  for  the  PACK  shell  is  that  (EQUAL  (PACK  X)  (PACK  Y)) 
is  true  if  and  only  if  (EQUAL  X  Y)  is  true.  Thus,  "NIL"  is  not  "QUOTE" 
because,  using  the  similar  axioms  about  the  CONS  and  ADD1  shells,  (CONS 
78  ...)  is  not  equal  to  (CONS  81  ...).  In  general,  two  abbreviated 
literal  atoms  are  EQUAL  if  and  only  if  the  abbreviations  are  identical. 

We  introduce  the  following  two  new  abbreviation  conventions. 

First,  following  LISP,  we  use  (LIST  t^  ...  tn)  as  an  abbreviation 
of 

(CONS  tj  (CONS  t2  •••  (CONS  t  "NIL"))). 

Thus,  (LIST  ABC)  is  an  abbreviation  of  (CONS  A  (CONS  B  (CONS  C 
"NIL"))). 

Second,  in  Section  III  we  will  introduce  a  shell  representing  the 
negative  integers  and  we  shall  there  adopt  a  convention  for  abbreviating 
negative  constants. 
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C.  _A  Hypothetical  Problem 

We  will  now  describe  a  realistic  scenario  in  which  the  user  of  an 
automatic  theorem-prover  is  confronted  with  the  inadequacy  of  the  system 
and  is  forced  to  consider  the  various  alternative  means  of  overcoming 
the  problem. 

Suppose  we  have  a  mechanical  theorem-prover  for  the  logic  just 
described  and  that  the  theorem-prover  can  use  equations  as  rewrite 
rules.  Further  suppose  that  we  had  instructed  our  theorem-prover  to 
prove  and  then  use  the  following  equation  as  a  rewrite  rule: 

(EQUAL  (EQUAL  (PLUS  X  Y )  (PLUS  X  Z)) 

(EQUAL  (FIX  Y)  (FIX  Z))). 

This  theorem  is  the  cancellation  law  for  addition.  Roughly  speaking,  it 
says  that  if  X  is  an  addend  on  both  sides  of  an  equation  it  can  be 
"cancelled."  FIX  is  used  because  PLUS  coerces  its  arguments  to 
integers. 

Applying  this  lemma  as  a  rewrite  rule  from  left  to  right  allows  the 
system  to  rewrite  the  equation: 

(EQUAL  (PLUS  I  (PLUS  X  Y)) 

(PLUS  I  (PLUS  J  K))) 

to  the  equation 

(EQUAL  (PLUS  X  Y) 

(PLUS  J  K)) 

(since  (FIX  (PLUS  x  y))  reduces  to  (PLUS  x  y)  because  PLUS  is  always 
numeric).  So,  apparently,  our  rewrite-driven  system  now  "knows"  how  to 
cancel  common  addends. 

But  consider  the  following  equation: 

(EQUAL  (PLUS  (PLUS  A  I)  (PLUS  B  K)) 

(PLUS  J  (PLUS  K  (PLUS  I  X)))). 

The  cancellation  law  cannot  be  applied  here,  because  the  law  requires 
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that  the  common  addend  be  the  first  argument  of  the  outermoet  PLUS- 
expression.  Here  wf;  want  to  cancel  the  second  and  fourth  addends  on  one 
side  against  the  third  and  second  on  the  other. 

How  might  the  user  of  our  system  respond  to  this  failure  of  the 
system  to  carry  out  such  a  step  in  the  proof?  We  consider  the  three 
alternatives  sketched  in  the  introduction  and  then  the  meta- approach.* 

D.  An  Example  of  Alternative  _1 

Alternative  (1)  is  to  recode  the  theorem-prover .  One  suitable 
modification  would  be  to  build  in  an  associative-commutative  unification 
routine  that  "knows"  PLUS  .  s  such  a  function  and  thus  allows  the 
cancellation  law,  in  the  form  in  which  it  was  stated,  to  apply.  A  more 
direct  solution  would  be  to  write  a  special-purpose  routine  for 
cancellation  of  PLUS.  Roughly  speaking,  the  code  for  such  a 
modification  would  be  as  follows.  If  the  expression  in  question  is  of 
the  form  (EQUAL  t^  t2).  regard  t^  and  t2  as  trees  of  addends  and  compute 
their  fringes.  The  intersection  of  the  two  fringes  is  the  list  of 
common  addends.  The  result  of  cancelling  all  common  addends  is  then 
obtained  by  removing  each  common  addend  from  each  fringe,  reconstituting 
two  PLUS  expressions  from  the  altered  fringes  and  constructing  the 
equation  of  those  two  expressions. 

Such  a  program  would  correctly  transform: 

(EQUAL  (PLUS  (PLUS  A  I)  (PLUS  B  K)) 

(PLUS  J  (PLUS  K  (PLUS  I  X)))) 

to 

(EQUAL  (PLUS  A  B) 

(PLUS  J  X)). 


Lest  the  reader  think  that  a  mechanical  theorem-prover  without  built- 
in  cancellation  is  a  straw  man  designed  to  show  off  the  use  of 
metafunctions,  it  should  be  observed  that  our  theorem-prover,  as 
described  in  [1],  has  no  built-in  arithmetic  of  any  sort  and  yet  can 
prove  its  way  from  the  Peano  axioms  through  the  prime  factorization 
theorem.  Nevertheless,  the  addition  of  a  cancellation  mechanism 
improves  the  power  and  performance  o.  the  system. 


However,  one  must  be  careful.  For  example  if  the  intersect  and 
delete  operations  do  not  respect  duplications,  one  is  liable  to 
incorrectly  simplify: 

(EQUAL  (PLUS  A  (PLUS  A  (PLUS  B  C))) 

(PLUS  A  (PLUS  XY)» 

to 

(EQUAL  (PLUS  B  C) 

(PLUS  X  Y)), 

cancelling  two  occurrences  of  A  on  the  left  against  only  one  on  the 
right.  In  addition,  one  must  remember  that  PLUS  coerces  its  arguments. 
For  example,  the  simplification  of: 

(EQUAL  (PLUS  A  B)  (PLUS  A  (PLUS  CD))) 
to 

(EQUAL  B  (PLUS  C  D)) 

is  invalid,  because  the  former  might  be  true  for  a  nonnumeric  B  while 
the  latter  would  be  false. 

Thus,  the  implementor  of  the  theorem-prover  must  consider  these 
issues  carefully  before  modifying  the  system.  A  less  expert  user  of  the 
system  should  not  be  allowed  to  make  such  a  change. 

E.  An  Example  of  Alternative  1 

Alternative  (2)  is  to  carry  out  the  cancellation  by  directing  a 
proof-checker-like  facility.  This  assumes  the  system  has  been  well 
enough  engineered  to  allow  the  user  to  intervene  at  this  step  in  the 
proof  without  disabling  all  the  desirable  aspects  of  the  automatic 
theorem-prover.  But  suppose  we  can  so  intervene.  Recall  the  equation 
we  wish  to  simplify 

(EQUAL  (PLUS  (PLUS  A  I)  (PLUS  B  K)) 

(PLUS  J  (PLUS  K  (PLUS  I  X)))). 


24 


To  describe  the  proof  steps  we  must  refer  to  individual  PLUS-expressions 
in  the  formula.  We  number  the  PLUS-expressions  consecutively  from  1  to 
6,  in  the  lef t-to-right  order  in  which  they  appear.  Each  time  we  change 
the  equation,  we  renumber  the  PLUS  terms  with  the  same  algorithm.  Here 
is  one  of  many  (ossible  sequences  for  simplifying  the  formula  above, 
assuming  we  have  proved  that  PLUS  is  associative  and  commutative: 

Commute  2 
Reassociate  1 
Commute  5 
Reassociate  5 
Commute  4 
Reassociate  4 
Cancel 
Commute  2 
Commute  1 
Reassociate  1 
Commute  4 
Reassociate  3 
Cancel 

The  result  is 

(EQUAL  (PLUS  B  A) 

(PLUS  X  J)). 

This  alternative  does  not  solve  the  general  problem  of  enabling  the 
automatic  theorem-prover  to  carry  out  arbitrary  cancellations. 
Consequently,  the  user  of  the  system  must  still  be  prepared  to  intervene 
when  opportunities  for  cancellation  arise  in  the  future. 

To  solve  the  general  problem  with  this  technique  we  would  have  to 
write  a  program  that  detects  the  presence  of  common  addends  and 
generates  a  sequence  of  proof  steps  for  cancelling  them.  This  is  just 
the  approach  of  the  first  "camp"  described  in  Section  I.  The  program 
could  use  the  fringe- intersection  technique  described  above  to  identify 
the  common  addends.  Then,  for  each  common  addend,  t,  the  program  could 
generate  a  sequence  of  commute  and  associate  instructions  intended  to 
move  t  into  the  first  argument  of  the  outermost  PLUS  on  each  side,  and 
then  generate  a  cancel  instruction.  Finally,  the  entire  sequence  of 
instructions  would  be  given  to  the  proof-checker  and  actually  carried 


J 


25 


out*  Of  course,  we  do  not  have  to  worry  about  a  mistake  in  our  program 
rendering  our  theorem-prover  unsound,  but  the  process  of  generating  the 
proof  steps  and  then  carrying  them  out  is  far  more  tedious  than  the  ad 
hoc  approach  of  the  first  alternative. 

F.  An  Example  of  Alternative  _3 

Alternative  (3)  is  to  prove  sufficient  lemmas  to  let  the  theorem- 
prover  carry  out  the  necessary  proof  steps.  In  this  case,  it  is 
sufficient  to  prove  the  ugly  lemma: 

(EQUAL  (EQUAL  (PLUS  (PLUS  A  I)  (PLUS  B  K)) 

(PLUS  J  (PLUS  K  (PLUS  I  X)))) 

(EQUAL  (PLUS  A  B) 

(PLUS  J  X))) 

by  induction.  This  lemma  is  merely  an  ugly  version  of  the  PLUS- 
cancellation  law. 

Once  again  we  see  that  the  solution  to  the  specific  problem  does 
not  solve  the  general  one  of  enabling  the  rewrite  rules  to  carry  out  an 
arbitrary  cancellation.  For  example,  each  of  the  equations  below 
requires  different  versions  of  the  cancellation  law. 

(EQUAL  (PLUS  X  Y) 

(PLUS  X  Z)) 

(EQUAL  (PLUS  A1  (PLUS  X  Y)) 

(PLUS  B 1  (PLUS  X  Z)) 

(EQUAL  (PLUS  A1  (PLUS  A2  (PLUS  X  Y))) 

(PLUS  B 1  (PLUS  B2  (PLUS  X  Z)))) 


not  to  mention  the  "skewed”  versions  such  as: 


(EQUAL  (PLUS  A 1  (PLUS  A2  (PLUS  X  Y))) 
(PLUS  X  Z)) 

(EQUAL  (PLUS  A1  (PLUS  A2  (PLUS  X  Y))) 
(PLUS  B 1  (PLUS  X  Z))) 


It  should  be  clear  that  no  finite  set  of  such  rewrite  rules  will 
suffice  to  carry  out  all  cancellations  (unless  we  opted  for  alternative 
(I)  and  first  built  in  some  facts  about  the  equivalence  classes  of  PLUS 
expressions  under  associativity  and  commutativity). 

G«  The  Meta-Approach 

So  much  for  the  conventional  alternatives.  The  meta- approach 
proposed  in  this  paper  is  to  encode  the  cancellation  algorithm  as  a 
function  in  the  logic  itself  and  to  prove  it  correct.  We  first  describe 
how  we  represent  symbolic  expressions  as  objects  in  our  theory,  then  we 
derive  a  definition  of  the  cancellation  function,  and  the  statement  of 
its  correctness.  Finally,  we  show  how  the  statement  of  correctness, 
once  proved,  enables  us  to  perform  arbitrary  cancellations  from  within 
the  theory. 

1 .  Symbolic  Expressions 

Since  we  want  to  write  recursive  functions  on  symbolic 
expressions  we  have  to  represent  such  expressions  in  terms  of  the 
objects  of  our  theory,  e.g.,  LITATOMs  and  LISTPs.  Our  symbolic 
expressions  will  be  either  variable  symbols  or  the  applications  of 
function  symbols  to  argument  expressions.  We  represent  function  and 
variable  symbols  by  LITATOMs.  We  represent  the  application  of  a 
function  symbol  to  some  arguments  by  the  LISTP  object  whose  CAR  is  the 
function  symbol  and  whose  CDR  is  a  list  of  the  appropriate  number  of 
argument  expressions.  Thus,  the  LITATOM  (PACK  (CONS  65  0)),  abbreviated 
as  "A",  is  a  symbolic  expression  that  can  be  thought  of  as  representing 
a  variable  symbol.  The  LISTP  object 
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(CONS  "PLUS"  (CONS  "A"  (CONS  "I"  "NIL"))) 


which  may  be  abbreviated  as 

(LIST  "PLUS"  "A"  "I") 

is  a  symbolic  expression  representing  the  application  of  the  function 
symbol  "PLUS"  to  two  variable  expressions,  "A"  and  "I". 

Intuitively,  the  symbolic  expression  above  corresponds  to 
(PLUS  A  I),  the  application  of  the  function  PLUS  to  two  arguments. 
Eventually  we  will  formally  assign  meanings  to  symbolic  expressions, 
making  clear  the  connection  between  the  LITATOM  "PLUS"  and  the  function 
PLUS.  But  at  the  moment,  the  reader  is  advised  to  ignore  that  aspect  of 
the  problem,  forget  that  we  are  in  a  mathematical  logic,  and  just 
pretend  we  are  writing  a  program  to  manipulate  such  expressions 
according  to  the  intuitive  notion  of  their  semantics. 

2.  The  Cancellation  Algorithm 

We  want  a  function,  which  we  will  call  CANCEL,  that  when 
applied  to  a  symbolic  expression  representing  an  equation  such  as 

(EQUAL  (PLUS  (PLUS  A  I)  (PLUS  B  K) ) 

(PLUS  J  (PLUS  K  (PLUS  I  X)))), 

yields  the  symbolic  expression  representing  the  cancelled  equation, 

(EQUAL  (PLUS  A  B) 

(PLUS  J  X)). 

Here  is  how  our  function  works.  We  first  ask  whether  the 
expression  is  an  equality  with  PLUS-expressions  in  both  arguments.  If 
so,  we  compute  the  fringe  of  the  two  PLUS-trees  and  intersect  them  (with 
a  "bag  intersection"  function  which  respects  duplications)  to  obtain  a 
list  of  common  addends.  We  subtract  the  common  addends  from  each  fringe 
(with  "bag  difference"  which  also  respects  duplications).  Finally,  we 
construct  two  new  PLUS-trees  from  the  two  resulting  bags  of  addends  and 
embed  them  in  an  EQUAL  expression. 
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We  thus  need  functions  for  recognizing  symbolic  equations  and 
PLUS-expressions ,  a  function  for  computing  the  fringe  of  a  tree  of  PLUS- 
expressions,  the  bag  intersection  and  difference  functions,  and  the 
function  for  constructing  a  tree  of  PLUS-expressions  given  the  list  of 
addends . 


The  function  PLUS. TREE?,  defined  below,  returns  (TRUE)  or 
(FALSE)  according  to  whether  its  argument  is  a  symbolic  expression 
representing  the  application  of  the  function  symbol  "PLUS": 

Definition. 

(PLUS. TREE?  X) 

(AND  (LISTP  X) 

(EQUAL  (CAR  X)  "PLUS")). 

If  (PLUS. TREE?  X)  is  (TRUE)  we  call  X  a  "PLUS-tree."  We  could  have 
defined  PLUS. TREE?  to  check  that  (CDR  X)  is  a  list  of  two  elements,  but 
we  will  always  be  able  to  derive  that  if  X  is  known  to  be  well-formed. 

If  X  is  a  PLUS-tree  then  (CADR  X)  is  the  first  argument  expression  and 
(CADDR  X)  is  the  second.  The  function  EQUALITY?  is  similarly  defined 
but  recognizes  symbolic  equations. 

We  define  the  "fringe"  of  an  expression  with  the  function 
FRINGE.  If  its  argument  is  a  PLUS-tree,  FRINGE  recursively  determines 
the  fringe  of  the  two  arguments  and  concatenates  them  with  the  function 
APPEND.  If  its  argument  is  not  a  PLUS-tree,  FRINGE  returns  the 
singleton  list  containing  that  argument. 

Definition. 

(FRINGE  X) 

(IF  (PLUS. TREE?  X) 

(APPEND  (FRINGE  (CADR  X)) 

(FRINGE  (CADDR  X))) 

(CONS  X  "NIL")). 

Before  the  equation  above  is  admitted  into  the  theory,  the 
definitional  principle  requires  the  exhibition  of  a  measure  under  which 
the  argument  is  getting  smaller  according  to  some  well-founded  relation. 
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The  measure  COUNT  and  relation  LESSP  are  sufficient  —  in  particular 
both  (CADR  X)  and  (CADDR  X)  have  smaller  COUNT  than  X  when  X  is  a  L1STP 
ever  if  X  is  not  a  well-formed  PLUS-expression.  Thus,  the  equation 
above  is  satisfied  by  one  and  only  one  function  (as  proved  in  [ 1 ] ) - 

If  X  is 

(LIST  "PLUS" 

(LIST  "PLUS"  "A"  "I") 

(LIST  "PLUS"  "B"  "I")) 

then  (FRINGE  X)  is 

(LIST  "A"  "I"  "B"  "K"). 

To  operate  on  fringes  we  need  the  bag  intersection  and 
difference  functions.  Since  the  definitions  are  similar,  we  consider 
only  the  bag  intersection  function.  The  usual  list  intersection 
function  asks  of  each  element,  e,  in  its  first  argument  whether  e  is  in 
the  second.  If  so,  e  is  put  into  the  answer  list,  and  if  not,  e  is  not 
put  into  the  answer  list.  If  e  occurs  m  times  in  the  first  argument  and 
at  least  once  in  the  second,  it  is  put  into  the  answer  m  times.  This 
will  not  do  for  our  purposes,  since  it  would  lead  us  to  believe  we  could 
cancel  m  occurrences  of  e.  We  must  pay  special  attention  to 
duplications.  In  particular,  if  e  occurs  in  the  first  argument  m  times 
and  in  the  second  n  times,  then  it  must  occur  in  the  answer  min(m,n) 
times.  This  can  be  arranged  by  deleting  an  occurrence  of  e  from  the 
second  argument  as  soon  as  it  has  been  used  against  an  occurrence  in  the 
first  argument.  Here  is  the  definition  of  the  bag  intersection 
function: 

Definition. 

(BAGINT  X  Y) 

(IF  (LISTP  X) 

(IF  (MEMBER  (CAR  X)  Y) 

(CONS  (CAR  X) 

(BAGINT  (CDR  X) 

(DELETE  (CAR  X)  Y) ) ) 

(BAGINT  (CDR  X)  Y)) 

"NIL"). 
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For  example, 

(BAGINT  (LIST  "B"  "C"  "C"  "D"  "D") 

(LIST  "A"  "C"  "C"  "D"  "E"  "F")) 

is  equal  to  (LIST  "C"  "C"  "D").*  The  bag  difference  function,  BAGDIFF, 
is  similarly  defined. 

Finally,  we  must  define  the  function  PLUS. TREE  that  converts  a 
list  of  addends  into  a  tree  of  PLUS-expressiona .  Recall  that  PLUS. TREE 
is  used  to  "reconstitute"  a  PLUS-expression  from  its  fringe  minus  any 
common  addends.  There  are  several  special  cases.  If  the  new  fringe  is 
empty,  it  means  all  the  elements  of  the  old  fringe  were  cancelled. 

Thus,  PLUS. TREE  should  return  the  term  representing  0.  If  the  new 
fringe  contains  only  one  addend,  x,  then  PLUS. TREE  should  return  a 
symbolic  term  that  "coerces"  x  to  a  number  since  that  is  what  the 
original  PLUS  expression  would  have  done.  A  suitable  expression  is  (FIX 
x).  Otherwise,  PLUS. TREE  builds  a  right-associated  PLUS-tree  from  the 
list. 


Definition. 

(PLUS. TREE  L) 

(IF  (NOT  (L1STP  L)) 

(LIST  "ZERO") 

(IF  (NOT  (LISTP  (CDR  L))) 

(LIST  "FIX"  (CAR  L)) 

(IF  (NOT  (LISTP  (CDDR  L))) 

(LIST  "PLUS"  (CAR  L)  (CADR  L)) 
(LIST  "PLUS" 

(CAR  L) 

(PLUS. TREE  (CDR  L)))))). 


For  example,  when  PLUS. TREE  is  given  the  list  containing  the  symbolic 


The  reader  may  be  uncomfortable  with  the  claim  that  BAGINT  is  the  bag 
intersection  function.  How  do  we  know  we  have  thought  of  all  the  cases? 
The  fact  is  that  it  does  not  matter.  Since  our  functions  are  introduced 
under  the  principle  of  definition  we  are  certain  they  are  functions. 

Our  bag  intersection  function  might  not  be  the  same  function  the  reader 
is  thinking  of,  but  it  does  exist  and  is  uniquely  defined.  The  proof  of 
the  correctness  of  CANCEL  will  establish  that  it  has  the  necessary 
properties . 
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expressions  for  the  variables  A,  B,  and  C,  it  returns  the  symbolic 
expression  for 

(PLUS  A  (PLUS  B  C) ) , 

that  is,  (PLUS. TREE  (LIST  "A"  "B"  "C"))  is 

(LIST  "PLUS" 

"A" 

(LIST  "PLUS"  "B"  "C")). 


We  are  now  prepared  to  write  a  preliminary  definition  of  CANCEL: 


Definition. 

(CANCEL  X) 

(IF  (AND  (EQUALITY?  X) 

(PLUS. TREE?  (CADR  X)) 

(PLUS. TREE?  (CADDR  X))) 

(LIST  "EQUAL" 

(PLUS. TREE 

(BAGDIFF  (FRINGE  (CADR  X)) 

(BAGINT  (FRINGE  (CADR  X)) 

(FRINGE  (CADDR  X))))) 

(PLUS. TREE 

(BAGDIFF  (FRINGE  (CADDR  X)) 

(BAGINT  (FRINGE  (CADR  X)) 

(FRINGE  (CADDR  X)))))) 

X). 


But  this  definition  of  CANCEL  does  not  handle  the  cancellation 
suggested  by  (EQUAL  (PLUS  A  (PLUS  B  C))  A)  because  the  second  argument 
to  the  EQUAL  is  not  a  PLUS-tree.  This  situation  will  be  handled 
specially.  It  is  incorrect  to  follow  the  paradigm  above  and  produce 
(EQUAL  (PLUS  B  C)  0),  because  if  A  is  nonnumeric,  the  former  equation  is 
(FALSE)  while  the  latter  might  be  (TRUE).  A  correct  way  to  cancel 
(EQUAL  (PLUS  A  (PLUS  B  C) )  A)  is  to  produce: 

(IF  (NUMBERP  A) 

(EQUAL  (PLUS  BOO) 

(FALSE)). 

We  therefore  add  two  more  cases  to  the  definition  of  CANCEL, 
one  to  handle  the  possibility  that  the  second  argument  to  the  equation 
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is  not  a  PLUS-tree  but  is  a  member  of  the  fringe  of  the  first,  and  the 
other  to  handle  the  symmetric  case. 

Here  is  the  final  definition  of  CANCEL. 


Definition. 

(CANCEL  X) 

(IF  (AND  (EQUALITY?  X) 

(PLUS. TREE?  (CADR  X)) 

(PLUS. TREE?  (CADDR  X))) 

(LIST  "EQUAL" 

(PLUS. TREE 

(BAGDIFF  (FRINGE  (CADR  X)) 

(BAGINT  (FRINGE  (CADR  X)) 

(FRINGE  (CADDR  X))))) 

(PLUS. TREE 

(BAGDIFF  (FRINGE  (CADDR  X)) 

(BAGINT  (FRINGE  (CADR  X)) 

(FRINGE  (CADDR  X)))))) 

(IF  (AND  (EQUALITY?  X) 

(PLUS. TREE?  (CADR  X)) 

(MEMBER  (CADDR  X)  (FRINGE  (CADR  X)))) 
(LIST  "IF" 

(LIST  "NUMBERP" 

(CADDR  X)) 

(LIST  "EQUAL" 

(PLUS. TREE 
(DELETE  (CADDR  X) 

(FRINGE  (CADR  X)))) 

(LIST  "ZERO")) 

(LIST  "FALSE")) 

(IF  (AND  (EQUALITY?  X) 

(PLUS. TREE?  (CADDR  X)) 

(MEMBER  (CADR  X) 

(FRINGE  (CADDR  X)))) 

(LIST  "IF" 

(LIST  "NUMBERP" 

(CADR  X)) 

(LIST  "EQUAL" 

(LIST  "ZERO") 

(PLUS. TREE 
(DELETE  (CADR  X) 

(FRINGE  (CADDR  X))))) 

(LIST  "FALSE")) 

X))) 
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The  table  below  Illustrates  CANCEL'S  input-output  behavior. 

If  c  is  a  symbolic  expression  corresponding  to  the  equation  in  some  row 
of  the  "input"  column,  then  the  equation  corresponding  to  (CANCEL  c)  is 
given  in  the  same  row  of  the  "output"  column. 


Input 

(EQUAL 

(PLUS  (PLUS  A  I)  (PLUS  B  K) ) 
(PLUS  J  (PLUS  I  (PLUS  K  X)))) 

(EQUAL  (PLUS  A  X) 

(PLUS  A  (PLUS  B  X))) 

(EQUAL  A  (PLUS  A  B) ) 


Output 

(EQUAL  (PLUS  A  B) 
(PLUS  J  X)) 


(EQUAL  (ZERO)  (FIX  B)) 


(IF  (NUMBERP  A) 

(EQUAL  (ZERO)  (FIX  B)) 
(FALSE)) 


The  reader  may  be  discouraged  by  the  complicated  nature  of  the 
cancellation  algorithm.  However,  the  algorithm  is  no  more  complicated 
than  the  logic  requires  and  raises  the  very  issues  we  would  have  to  face 
were  we  to  build  a  general-purpose  cancellation  algorithm  into  the 
theorem-prover  by  any  of  the  alternatives  sketched.  Furthermore,  in 
stark  contrast  to  alternative  1,  we  will  here  have  our  fears  of  lurking 
bugs  eradicated  by  the  system's  proof  of  the  correctness  of  the 
algorithm. 

3.  Correctness  of  CANC EL 

What  does  it  mean  to  say  that  CANCEL  is  correct?  Intuitively, 
we  would  like  to  require  that  the  output  equation  have  the  same  truth 
value  under  all  assignments  as  the  input  equation.  To  express  this 
exactly,  we  introduce  the  notion  of  the  "value"  or  "meaning"  of  an 
expression  under  an  assignment  to  the  variables  in  it* 

For  example,  the  meaning  of  (LIST  "PLUS"  "A"  "I")  under  a 
given  assignment  is  the  sum  of  the  meanings  of  "A"  and  "I"  under  the 
assignment.  Suppose  the  only  function  symbols  in  which  we  were 
interested  were  FALSE,  ZERO,  FIX,  NUMBERP,  PLUS,  TIMES,  EQUAL,  and  IF. 
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Then  we  can  define  the  function  MEANING  of  two  arguments,  an  expression 
and  a  list  of  pairs  associating  variables  (in  the  CAR  of  each  pair)  with 
values  (in  the  CDR).  Given  an  atomic  symbol,  MEANING  looks  up  and 
returns  its  value  under  the  list  of  pairs  using  the  function  LOOKUP.* 

Given  an  expression  representing  the  application  of  one  of  the 
function  symbols  above,  MEANING  returns  the  result  of  applying  the 
corresponding  function  to  the  recursively  obtained  MEANINGS  of  the 
arguments.  Give  any  other  object,  MEANING  returns  the  arbitrarily 
chosen  value  (TRUE). 


Def inition. 

(MEANING  X  A) 

(IF  (NOT  (LISTP  X)) 

(LOOKUP  X  A) 

(IF  (EQUAL  (CAR  X)  "FALSE") 

(FALSE) 

(IF  (EQUAL  (CAR  X)  "ZERO") 

(ZERO) 

(IF  (EQUAL  (CAR  X)  "FIX") 

(FIX  (MEANING  (CADR  X)  A)) 

(IF  (EQUAL  (CAR  X)  "NUMBERP") 

(NUMBERP  (MEANING  (CADR  X)  A)) 

(IF  (EQUAL  (CAR  X)  "PLUS") 

(PLUS  (MEANING  (CADR  X)  A) 

(MEANING  (CADDR  X)  A)) 

(IF  (EQUAL  (CAR  X)  "TIMES") 

(TIMES  (MEANING  (CADR  X)  A) 

(MEANING  (CADDR  X)  A)) 

(IF  (EQUAL  (CAR  X)  "EQUAL") 

(EQUAL  (MEANING  (CADR  X)  A) 

(MEANING  (CADDR  X)  A)) 

(IF  (EQUAL  (CAR  X)  "IF") 

(IF  (MEANING  (CADR  X)  A) 
(MEANING  (CADDR  X)  A) 
(MEANING  (CADDDR  X)  A)) 
(TRUE)))))))))) 


*  LOOKUP  is  defined  in  Section  III 


35 


There  is  nothing  magic  or  "meta"  about  this  function.*  The 
equation  defines  a  unique  function  and  is  accepted  under  the  principle 
of  definition  because  in  each  recursive  call  the  COUNT  (i.e.,  size)  of 
the  first  argument  gets  smaller  according  to  the  well-founded  relation 
LESSP.  We  happen  to  use  the  function  PLUS  to  compute  the  value  of  a 
form  beginning  with  the  LITATOM  "PLUS",  but  this  association  between  the 
two  is  only  an  artifact  of  our  definition  of  MEANING. 

The  intuitive  statement  that  CANCEL  is  correct  is  that  under 
any  assignment  the  MEANINGS  of  the  input  and  output  of  CANCEL  are 
identical . 

Theorem.  CANCEL. PRESERVES .MEANING 

(EQUAL  (MEANING  X  A) 

(MEANING  (CANCEL  X)  A)). 

This  conjecture  can  be  proved  by  our  theorem-prover ;  the  proof 
is  discussed  later  in  this  paper.  For  the  moment,  suppose  we  have 
proved  CANCEL. PRESERVES .MEANING. 

4.  Using  CANCEL  to  Cancel 

We  now  have  a  recursive  function,  CANCEL,  that  manipulates 
L1STP  objects  as  though  they  were  equations,  and  we  can  prove  that  the 
function  is  correct  with  respect  to  a  particular  definition  of  MEANING. 
But  how  can  we  use  CANCEL  to  prove  theorems? 

Let  us  consider  our  example  again.  Suppose  we  are  proving 
some  conjecture  and  would  like  to  cancel  the  common  addends  in  the 
following  equation,  which  we  will  call  p: 

(EQUAL  (PLUS  (PLUS  A  I)  (PLUS  B  K)) 

(PLUS  J  (PLUS  I  (PLUS  K  X)))). 


The  prefix  "meta"  suggests  something  arcane,  such  as  metaphysics.  In 
fact,  "meta"  is  Greek  for  "after."  Metaphysics  is  so  named  not  because 
it  is  subtly  related  to  physics  but  because  in  the  received  order  of 
Aristotle's  works,  the  treatment  of  being,  substance,  cause,  etc.  comes 
after  the  treatises  on  physical  matters. 
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That  is,  we  would  like  to  replace  p  by  its  cancelled  form,  which  we  will 
call  q: 


(EQUAL  (PLUS  A  B) 

(PLUS  J  X)). 


How  can  we  use  CANCEL,  which  operates  on  symbolic  expressions, 
to  derive  the  equation  q  from  p  and  how  to  we  know  that  q  and  p  are 
provably  equal? 

Let  c  stand  for  the  following  term 

(CONS  "EQUAL" 

(CONS  (CONS  "PLUS" 

(CONS  (CONS  "PLUS" 

(CONS  "A"  (CONS  "I"  "NIL"))) 

(CONS  (CONS  "PLUS" 

(CONS  "B"  (CONS  "K"  "NIL"))) 

"NIL"))) 

(CONS  (CONS  "PLUS" 

(CONS  "J" 

(CONS  (CONS  "PLUS" 

(CONS  "I" 

(CONS  (CONS  "PLUS" 

(CONS  "K" 

(CONS  "X"  "NIL"))) 

"NIL"))) 

"NIL"))) 

"NIL"))), 


which  may  be  abbreviated  as 

(LIST  "EQUAL" 

(LIST  "PLUS" 

(LIST  "PLUS"  "A"  "1") 

(LIST  "PLUS"  "B"  "K")) 

(LIST  "PLUS" 

"J" 

(LIST  "PLUS" 

M  j»l 

(LIST  "PLUS"  "K"  "X")))). 
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Let  alist  stand  for  the  term: 

(LIST  (CONS  "A"  A)  (CONS  "I"  I)  (CONS  "B"  B) 

(CONS  "K"  K)  (CONS  "J"  J)  (CONS  "X"  X)). 


Then  it  is  straightforward  to  confirm  that  the  MEANING  of  c 
under  alist  is  in  fact  p,  the  formula  we  wish  to  simplify.  That  is,  the 
following  is  a  theorem  that  may  be  proved  by  tediously  expanding  the 
definition  of  MEANING: 

*1  (EQUAL  p  (MEANING  c  alist)). 


But  by  CANCEL. PRESERVES. MEANING  we  have  the  theorem: 


*2  (EQUAL  (MEANING  c  alist) 

(MEANING  (CANCEL  c)  alist)). 


By  expanding  the  definition  of  CANCEL  we  see  that  (CANCEL  c)  is  equal 
to: 


(LIST  "EQUAL" 

(LIST  "PLUS"  "A"  "B") 
(LIST  "PLUS"  "J"  "X")), 


which  we  will  call  d.  Thus,  we  have  the  theorem: 


*3  (EQUAL  (MEANING  (CANCEL  c)  alist) 

(MEANING  d  alist)). 


But,  by  expanding  the  definition  of  (MEANING  d  alist)  we  have 

*4  (EQUAL  (MEANING  d  alist) 

(EQUAL  (PLUS  A  B)  (PLUS  J  X))), 

or,  equivalently 

(EQUAL  (MEANING  d  alist)  q) 


since  the  right-hand  side  of  *4  is  the  equation  we  named  q. 
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Thus,  we  can  indeed  use  MEANING,  CANCEL. PRESERVES. MEANING  and 
CANCEL  to  derive  q  from  p;  furthermore,  the  chain  of  equalities  *1  -  *4 
is  a  proof,  within  the  theory,  that  p  is  equal  to  q,  so  we  may  replace  p 
by  q. 

The  paradigm  for  using  CANCEL  as  a  formula  simplifier  is  to 
"lift"  the  formula  to  a  symbolic  expression  with  MEANING,  "compute" 
CANCEL  on  that  symbolic  expression,  and  then  use  MEANING  again  to  "drop" 
the  symbolic  expression  back  down  to  a  formula.  Of  course,  using  the 
words  "lift"  and  "drop"  suggests  that  we  are  "ascending"  to  and 
"descending"  from  the  metatheory,  when  in  fact  we  are  just  translating 
the  problem  from  one  form  to  another. 

It  should  be  clear  that  we  can  use  MEANING  and  CANCEL  in  this 
way  to  carry  out  an  arbitrary  cancellation,  provided  we  can  "lift"  the 
formula  into  symbolic  form  and  "drop"  the  output  of  CANCEL. 

However,  were  we  to  implement  the  mechanical  application  of 
"metafunctions"  along  the  lines  just  described,  the  implementation  would 
sink  into  a  swamp  of  PLUS-trees.  Note  for  example  that  in  lifting  p  we 
had  to  create  a  very  large  term,  c.  How  do  we  even  know  such  a  term 
exists?  Can  we  obtain  it  without  a  lot  of  work?  Can  we  be  sure  that 
its  MEANING  is  equal  to  p  without  the  tedious  expansion  of  MEANING 
required  to  justify  *1?  How  can  we  quickly  simplify  (CANCEL  c)  to  some 
new  symbolic  expression?  Once  that  expression  is  obtained,  do  we  know 
we  can  drop  it  back  down  to  a  formula  —  that  is,  a  formula  not 
involving  MEANING? 

The  remainder  of  this  paper  answers  these  and  other  questions. 
In  particular,  we  carefully  develop  the  logic  behind  the  introduction 
and  use  of  metafunctions,  we  describe  an  INTERLISP  implementation  that 
is  very  efficient,  and  we  prove  the  correctness  of  our  implementation. 


39 


Ill  FORMALITIES 


Here  we  lay  some  groundwork  for  the  proof  of  the  Metatheorem. 

A.  Alterations  to  A  Computational  Logic 

The  basic  logic  for  which  we  prove  the  Metatheorem  is  the  one 
described  in  Chapter  III  of  A  Computational  Logic.  To  implement  our 
approach  to  metafunctions,  we  found  it  desirable  to  make  the  following 
superficial  changes  to  that  logic. 

1.  Syntax 

Here  we  alter  the  syntax  of  our  language  by  increasing  the  set 
of  characters  that  can  be  used  in  symbols. 

A  symbol  is  a  nonempty  sequence  of  characters  Cj,  ...»  cn  such 
that  (a)  for  each  i  greater  than  0  and  less  than  n+I,  c i  is  one  of  the 
following  printing  ASCII  characters: 

ABCDEFGHIJKLMNOPQRSTUVWXYZ 

abcdefghijklmnopqrstuvwxyz 

0123456789 

!#$&+,-./: 

and  (b)  c^  is  not  a  digit,  the  plus  sign,  the  minus  sign,  or  period. 

We  assume  that  associated  with  each  symbol  is  a  nonnegative 
integer  called  the  arity  of  the  symbol. 

Intuitively,  the  arity  of  a  symbol  is  the  number  of  arguments 
the  symbol  takes  when  used  as  a  function  symbol.  For  example,  the 
arities  of  TRUE,  NOT,  PLUS,  and  IF  are,  respectively  0,  1,  2,  and  3. 

The  arity  of  other  symbols  will  become  clear  as  time  goes  by. 
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PRECEDING  PACE  BUNK-MOT  FlLi-ED 


A  term  is  either  a  symbol  or  a  finite  sequence  of  length  n+1 
whose  first  member  is  a  symbol  of  arity  n,  and  whose  remaining  members 
are  terms. 

Although  we  now  formally  permit  lower  case  letters  in  our 
terms,  in  this  document  we  adhere  to  our  convention  of  using  lower  case 
words  to  denote  "metavariables"  standing  for  terms.  When  we  say  that  a 
term  p  has  the  form  q,  we  mean  that  p  can  be  obtained  by  replacing  the 
lower  case  symbols  in  q  by  symbols  or  terms.  For  example,  (LESSP  (D  X) 
X)  has  the  form  (r  (D  x)  x)  since  it  may  be  obtained  by  replacing  r  by 
LESSP  and  x  by  X.  (CONS  A  (CONS  B  "NIL"))  has  the  form  (CONS  x  y)  and 
also  the  form  (LIST  a  b),  since  (LIST  a  b)  is  an  abbreviation  for  (CONS 
a  (CONS  b  "NIL")).  Finally,  (CONS  A  B)  does  not  have  the  form  (CONS  X 

y)  • 

When  we  enclose  a  lower  case  symbol  in  quotation  marks  it 
should  be  understood  to  denote  the  same  thing  denoted  by  enclosing  in 
quotation  marks  the  denotation  of  the  symbol.  For  example,  if  wrd  is 
understood  to  denote  ABC,  then  "wrd"  is  understood  to  denote  "ABC". 

2.  Literal  Atoms 

The  shell  definition  for  LITATOMs  is  modified:  there  is  no 
bottom  object. 

We  abandon  the  conventions  in  [1]  specifying  the 
interpretation  of  symbols  in  quotation  marks  (including  the  convention 
that  "NIL"  was  an  abbreviation  of  the  (now  absent)  bottom  object).  We 
define  our  new  abbreviation  conventions  below. 

3.  Ordered  Pairs 

The  default  values  for  the  CONS  shell  are  0  and  0  (instead  of 
"NIL"  and  "NIL"). 
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4.  Negative  Integers 

Shell  Definition 

Add  the  shell  MINUS  of  one  argument 
with  recognizer  NEGATIVEP, 
accessor  NEGATIVE. GUTS, 
type  restriction  (NUMBERP  XI), 
default  value  0,  and 

well-founded  relation  NEGATIVE. GUTSP. 

5.  Abbreviations 

We  continue  to  use  the  abbreviation  conventions  introduced  in 
[1],  except  that  we  modify  the  conventions  concerning  the  abbreviation 
of  LITATOMs:  if  wrd  is  a  symbol,  and  the  ASCII  character  codes  for  the 
characters  in  wrd  are,  in  order,  i^,  ...,  i  ,  then  "wrd"  is  an 
abbreviation  of  the  term  (PACK  (CONS  ij  (CONS  i2  ...  (CONS  i  0 )...))). 

In  addition,  we  add  two  new  abbreviations. 

If  u  is  a  positive  integer  and  tj,  t2>  •••.  t  are  terms,  then 
(LIST  t^  ...  tn)  is  an  abbreviation  of  (CONS  tj  (LIST  t2  •••  tn)). 
(LIST)  Is  an  abbreviation  of  "NIL". 

If  n  is  a  positive  integer,  then  -n  is  an  abbreviation  of 

(MINUS  n). 

6.  SYMBOLP 

In  preparation  for  defining  FORMP,  we  add  definitions  for  the 
functions  LEGAL. CHAR. CODES,  ILLEGAL. FIRST. CHAR. CODES, 

LEGAL. CHAR. CODE. SEQ,  SYMBOLP,  and  LOOKUP  to  our  basic  theory. 

(LEGAL. CHAR. CODES)  has  as  its  value  the  list  of  ASCII  codes  of 
those  characters  we  permit  to  occur  in  symbol  names  (A-Z,  a-z,  0-9,  and 
a  certain  set  of  signs).  (ILLEGAL. FIRST. CHAR. CODES)  has  as  its  value 
the  list  of  those  characters  we  do  not  permit  as  the  first  character  of 
a  symbol  name  (0-9,  +,  -,  and  .): 
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Definitions. 

(LEGAL. CHAR. CODES) 

(LIST  65  66  67  ...  88  89  90 

97  98  99  ...  120  121  122 
48  49  50  ...  55  56  57 
33  35  36  38  43  44  45  46  47  58 
59  60  61  62  63  64  92  94  95  126), 


(ILLEGAL . F IRST . CHAR. CODES ) 

(LIST  48  49  50  ...  55  56  57  43  45  46), 

(LEGAL. CHAR. CODE. SEQ  L) 

(AND  (LISTP  L) 

(SUBSETP  L  (LEGAL. CHAR. CODES)) 

(NOT  (MEMBER  (CAR  L)  (ILLEGAL. FIRST. CHAR. CODES))) 
(EQUAL  (CDR  (LAST  L))  0)), 


(SYMBOLP  X) 

(AND  (LITATOM  X) 

(LEGAL. CHAR. CODE. SEQ  (UNPACK  X))), 

(LOOKUP  X  ALIST) 

(IF  (NLISTP  ALIST) 

"NIL" 

(IF  (AND  (LISTP  (CAR  ALIST)) 

(EQUAL  X  (CAAR  ALIST))) 

(CDAR  ALIST) 

(LOOKUP  X  (CDR  ALIST)))). 

Functions  used  but  not  defined  in  this  paper  (e.g.,  NLISTP, 
LAST,  MEMBER,  and  SUBSETP)  are  defined  in  [1]  and  are  to  be  considered 
part  of  the  basic  theory.  Informally,  (NLISTP  X)  is  (NOT  (LISTP  X)), 
(LAST  X)  is  the  last  CONS  in  the  CDR  chain  of  X,  (MEMBER  X  L)  is  (TRUE) 
or  (FALSE)  according  to  whether  X  is  a  member  of  the  list  L,  and  (SUBSET 
LI  L2)  is  (TRUE)  or  (FALSE)  according  to  whether  every  member  of  LI  is  a 
member  of  L2. 
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Miscellaneous 


We  prohibit  the  introduction  of  QUOTE  and  NIL  as  function 
symbols  in  axioms  (including  definitions  and  invocations  of  the  shell 
principle) . 

B.  Histories  and  Theories 

The  basic  axioms  are  the  axioms  and  definitions  of  Chapter  III  of 
A  Computational  Logic,  as  amended  above. 

t  can  be  proved  directly  from  a  set  of  axioms  A  if  and  only  if  t 
may  be  derived  from  the  axioms  in  A  and  the  basic  axioms  by  applying  the 
following  rules  of  inference: 

*  The  propositional  calculus  with  equality  and  function 
symbols 

*  The  rule  of  inference  that  any  instance  of  a  theorem  is  a 
theorem 

*  Our  principle  of  induction 

There  are  three  kinds  of  axiomatic  acts:  (a)  an  application  of  the 
shell  principle,  (b)  an  application  of  the  principle  of  definition,  and 
(c)  the  arbitrary  addition  of  an  axiom.  Each  such  act  adds  one  or  (in 
the  case  of  the  shell  principle)  more  axioms. 

A  history  is  a  finite  sequence  of  axiomatic  acts  such  that  for  each 
application  of  the  principle  of  definition  in  the  sequence,  the  theorems 
required  by  the  principle  of  definition  can  be  proved  directly  from  the 
axioms  added  by  the  previous  acts  in  the  history. 

If  for  some  m,  T^  is  the  sequence  of  axiomatic  acts  aj,  ...,  and 
for  some  n,  T2  is  the  sequence  of  axiomatic  acts  a^,  ...»  am,  . ..,  an, 
where  n  is  greater  than  or  equal  to  m,  then  T2  is  an  extension  of  Tj. 

If  a  history  T2  may  be  obtained  from  a  history  Tj  merely  by  adding 
definition  acts  to  the  end  of  Tj,  then  T2  is  a  definitional  extension  of 

Tl* 

A  conjecture  t  can  be  proved  in  a  history  T  if  and  only  if  t  can  be 
proved  directly  from  the  axioms  of  some  definitional  extension  of  T. 
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(For  example,  even  though  the  proof  of  the  correctness  of  the  tautology- 
checker  presented  In  [1]  Involves  the  introduction  of  the  new, 
auxiliary  concept  of  "IF-normal  form,"  we  say  that  the  correctness 
theorem  "can  be  proved"  in  the  history  before  the  addition  of  the 
definition  of  IF-norroal*) 

A  history  is  constructive  if  it  contains  no  arbitrary  axioms. 

A  history  is  ordinary  if  there  are  no  axioms  of  the  history  that 
mention  APPLY,  MEANING,  MEANING. LST,  ARITY,  FORM. LSTP,  or  FORMP  as 
function  symbols. 

t  is  a  term  of  T  if  and  only  if  t  is  a  term,  T  is  a  history,  and 
every  symbol  mentioned  as  a  function  symbol  in  t  is  used  as  a  function 
symbol  in  some  axiom  of  T. 

C .  Assumption  of  Consistency 

We  assume  that  if  T  is  a  constructive  history,  then  T  is 
consistent,  i.e.,  (EQUAL  (FALSE)  (TRUE))  cannot  be  proved  in  T.  This 
assumption  plays  an  interesting  role  in  the  proof  and  implementation  of 
the  Metatheorem;  we  comment  further  upon  that  role  in  Section  VI. 

If  any  constructive  history  is  inconsistent,  then  elementary  number 
theory,  at  least,  is  inconsistent,  since  the  constructive  history  can  be 
embedded  in  elementary  number  theory. 

While  we  might  offer  a  "proof"  that  every  constructive  history  is 
consistent,  the  only  proof  that  we  imagine  requires  at  least  the  power 
of  elementary  number  theory.  We  find  it  difficult  to  imagine  a  proof  of 
the  consistency  of  a  constructive  history  within  a  mathematical  theory 
that  was  less  powerful  than  a  constructive  history  because  all  logical 
theories  of  which  we  are  aware  require  the  power  of  inductive  definition 
merely  to  define  the  language  of  any  another  logical  theory. 
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D.  Expllc it  Value  Terms 

In  A  Computational  Logic  we  define  the  notion  of  an  "explicit  value 
term."  We  make  extensive  use  of  the  properties  of  such  terms  in  this 
paper,  so  we  here  summarize  their  properties. 

Suppose  T  is  a  history. 

A  term  in  T  is  said  to  be  an  explicit  value  term  with  respect  to  T 
provided  (i)  it  contains  no  variables,  (ii)  every  function  symbol  in  it 
is  either  TRUE,  FALSE,  or  the  bottom  object  or  constructor  function 
symbol  of  some  shell  class  in  T,  and  (iix)  for  each  subterm  of  t  of  the 
form  (const  t^  ...  t  ) ,  where  const  is  the  constructor  function  symbol 
of  some  shell  class  in  T,  each  t^  satisfies  the  type  restriction  on  the 
ith  argument  position  of  const. 

Examples  of  explicit  value  terms  are  (ZERO),  (ADD1  (ADDl  (ADD1 
(ZERO)))),  and  (CONS  (ADDl  (ZERO))  (ZERO)).  (ADDl  (TRUE))  is  not  an 
explicit  value  because  (TRUE)  violates  the  numeric  type  restriction  for 
ADDl. 

Theorem.  If  tj  and  t2  are  two  distinct  explicit  value  terms  with 
respect  to  T,  then  (NOT  (EQUAL  t^  t-,))  is  a  theorem. 

Proof.  We  induct  on  the  structure  of  tj  and  t2. 

Base  Case.  If  either  t^  or  t2  is  a  variable,  then  the  theorem  is 
vacuously  true  because  variables  are  not  explicit  values. 

Induction  step.  If  t^  and  t2  are  both  function  applications,  say 
(f  Sj  ...  sm)  and  (g  r^  ...  r  ) ,  then  either  f  and  g  are  the  same 
function  symbol  or  not.  If  f  is  not  g,  then  the  theorem  follows, 
without  appeal  to  the  inductive  hypotheses,  merely  by  considering  the 
shell  axioms  and  the  axiom  that  (TRUE)  is  not  equal  to  (FALSE).  If  f 
and  g  are  the  same  function  symbol,  then  m  is  n  and  there  is  some  i  such 
that  is  not  the  same  terra  as  r^.  By  inductive  hypothesis  we  can 
prove  that  (NOT  (EQUAL  s^  r^)),  and  the  desired  conclusion  follows  from 
the  shell  axiom  for  f  that  (EQUAL  (f  Xj  ...  Xf|)  (f  xj'  ...  xn'))  is 
equivalent  to  the  conjunction  of  (EQUAL  Xj  x^')  ...  and  (EQUAL  xR  xn'). 
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provided  each  x^  and  x^'  satisfies  the  ith  type  restriction  on  const. 
Q.E.D. 

A  function  symbol  fn  is  expl icit  value  preservinfc  with  respect  to  T 
if  it  is  TRUE,  FALSE,  IF,  EQUAL,  a  function  symbol  axiomatized  in  T  with 
an  application  of  the  shell  principle,  or  a  function  symbol  defined  in  T 
such  that  (a)  every  other  function  symbol  used  in  the  body  of  the 
definition  is  explicit  value  preserving  with  respect  to  T  and  (b)  the 
theorems  that  must  be  proved  under  the  principle  of  definition  before  fn 
is  admitted  can  be  proved  directly  from  the  shell  axioms  of  T  and  the 
definitions  of  explicit  value  preserving  functions  with  respect  to  T 
defined  before  fn. 

For  example,  APPEND,  as  defined  as  follows: 

Def inition. 

(APPEND  X  Y) 

3C 

(IF  (LISTP  X) 

(CONS  (CAR  X)  (APPEND  (CDR  X)  Y)) 

Y) 

is  explicit  value  preserving. 

The  name  "explicit  value  preserving"  is  derived  from  the 
observation  that  if  some  term  t  is  the  application  of  such  a  function  to 
explicit  values  then  it  is  possible  to  use  the  shell  axioms  and  function 
definitions  to  derive  an  explicit  value  v  such  that  (EQUAL  tv)  is  a 
theorem.  For  example,  using  shell  axioms  and  the  definition  of  APPEND 
it  is  easy  to  reduce  (APPEND  (CONS  1  (CONS  2  "NIL"))  (CONS  3  "NIL"))  to 
the  equivalent  explicit  value  (CONS  1  (CONS  2  (CONS  3  "NIL"))).  We  now 
make  this  observation  more  formal. 

A  term  t  is  reducible  with  respect  to  T  if  and  only  if  t  mentions 
no  variable  and  every  function  symbol  mentioned  in  t  is  explicit  value 
preserving  with  respect  to  T. 

We  define  recursively  the  reduction  of  a  reducible  term  t  of  T.  If 
t  is  an  explicit  value,  then  the  reduction  of  t  is  t.  If  t  is  not  an 
explicit  value,  then  let  s  be  the  leftmost  nonexplicit  value  subterm  of 


t,  (fn  tj  ...  t  ),  such  that  either  each  tA  is  an  explicit  value  or  fn 
is  IF  and  t^  is  an  explicit  value.  The  reduction  of  t  is  the  reduction 
of  the  terra  that  results  from  replacing  the  leftmost  occurrence  of  s  in 
t  with  the  term  ans  defined  as  follows: 

(1)  If  fn  is  EQUAL,  ans  is  (TRUE)  or  (FALSE)  according  to 
whether  t^  is  identical  to  t2* 

(2)  If  fn  is  IF,  ans  is  t^  or  t2  according  to  whether  tj  is 
(FALSE)  or  not. 

(3)  If  fn  is  a  recognizer  for  a  shell  class  with  constructor 
function  symbol  c  (and  optionally,  bottom  object  (btm)), 
then  if  the  function  symbol  of  t,  is  c  (or  btm)  then  ans 
is  (TRUE),  and  otherwise  ans  is  (FALSE) 

(4)  If  fn  is  the  constructor  function  symbol  for  a  shell 
class  of  T,  ans  is  the  result  of  replacing  in  s  each 
argument  t^  that  does  not  satisfy  the  type  restriction  of 
the  ith  argument  of  fn  with  the  ith  default  value. 

(5)  If  fn  is  the  ith  accessor  for  some  shell  class  of  T  with 
constructor  function  symbol  c,  then  if  tj  has  the  form  (c 
v.  ...  vn)  for  some  v,,  ...,  v  ,  then  ans  is  v^  and 
otherwise  ans  is  the  ith  default  value  for  c 

(6)  If  fn  is  a  defined  function  in  T,  ans  is  the  result  of 
substituting  each  t.  for  the  corresponding  formal 
parameter  of  the  definition  of  fn  in  the  body  of  fn. 

That  "the  reduction  of  a  reducible  term"  is  well  defined  can  be 
proved  by  induction  because  the  definition  of  every  defined  function 
satisfies  our  principle  of  definition.  That  the  reduction  of  a 
reducible  terra  t  is  an  explicit  value  that  is  provably  equal  to  t 
follows  from  the  fact  that  each  step  in  the  computation  is  justified  by 
an  axiom. 

Theorem.  If  c  is  an  explicit  value  with  respect  to  T,  then  the 
reduction  of  (SYMBOLP  c)  in  T  is  (TRUE)  if  and  only  if  for  some  symbol 
w,  c  is  "w". 

Proof.  Suppose  (SYMBOLP  c)  reduces  to  (TRUE).  Then,  by 
definition,  the  reduction  of  (AND  (LITATOM  c)  (LEGAL. CHAR. CODE. SEQ 
(UNPACK  c)))  is  (TRUE).  Thus  (LITATOM  c)  reduces  to  (TRUE)  and  c  must 
have  the  form  (PACK  1st)  and  (UNPACK  c)  reduces  to  1st.  Continuing  the 
argument  through  LEGAL. CHAR. CODE . SEQ  we  finally  conclude  that  c  must 


have  the  form  (PACK  (CONS  t^  (CONS  t2  •••  (CONS  t  0)...))).  where  tp 
•••,  t  are  MEMBERS  of  (LEGAL. CHAR. CODES)  and  is  not  a  MEMBER  of 
(ILLEGAL. FIRST. CHAR. CODES ).  Thus,  tj,  ...,  t  are  NUMBERPs  that  may  be 
abbreviated  with  the  integers  i^,  . ..,  in*  Furthermore,  by  the 
definitions  of  LEGAL. CHAR. CODES  and  ILLEGAL. FIRST. CHAR. CODES,  ij,  ..., 
i  are  ASCII  codes  satisfing  the  restrictions  we  place  on  symbols.  Let 
w  be  the  symbol  obtained  by  concatenating  the  ASCII  characters  for  i^, 
...,  in«  It  is  easy  to  confirm  that  c  is  "w".  The  proof  in  the  other 
direction  is  similar.  Q.E.D. 

E.  Quotations 

We  now  define  the  "correspondence"  between  terms. 

Suppose  that  T  is  any  history. 

c  is  a  quotation  of  t  with  respect  to  T  if  and  only  if  c  and  t  are 
terms  and  either  (i)  t  is  a  symbol  and  c  is  "t"  or  (ii)  t  has  the  form 
(fn  a1  ...  an)  and  either  (a)  t  is  an  explicit  value  with  respect  to  T 
and  c  is  (LIST  "QUOTE"  t)  or  (b)  for  some  q^,  ...,  qn  that  are 
quotations,  respectively,  of  a^,  ...,  a n  with  respect  to  T,  c  is  (LIST 
"fn"  q ^  ...  qn) .  If  c  is  a  quotation  of  t  with  respect  to  T,  then  we 
say  t  is  the  dequotation  of  c  with  respect  to  T. 

Thus,  a  quotation  of  the  variable  symbol  X  is  (PACK  (CONS  88  0)), 

which  may  be  abbreviated  "X".  A  quotation  of  (ADD1  (ZERO)),  which  is 
the  explicit  value  we  abbreviate  as  1,  is  (LIST  "QUOTE"  1).  But  another 
quotation  of  1  is  (LIST  "ADD  1"  (LIST  "ZERO")).  A  quotation  of  (NOT  X) 

is  (LIST  "NOT"  "X").  Readers  who  feel  uneasy  about  the  use  of  such 

expressions  as  "QUOTE"  and  "ADD1"  in  terms  should  recall  that  they  are 
mere  abbreviations: 
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3 


"QUOTE" 

(PACK 

(CONS 

81 

(CONS 

85 

(CONS 

79 

(CONS 

84 

(CONS  69  0)))))) 

"ADDl" 

(PACK 

(CONS 

65 

(CONS 

68 

(CONS 

68 

(CONS 

49 

0))))) 

"ZERO" 

(PACK 

(CONS 

90 

(CONS 

69 

(CONS 

82 

(CONS 

79 

0))))) 

"NOT" 

(PACK 

(CONS 

78 

(CONS 

79 

(CONS 

84 

0)))) 

"X" 

(PACK 

(CONS 

88 

0)) 

Theorem.  If  c  is  a  quotation  of  t  with  respect  to  T,  then  c  is  an 
explicit  value  term. 

Proof.  We  induct  on  t.  If  t  is  a  variable,  c  is  "t",  which  is  an 
explicit  value.  Otherwise,  t  has  the  form  (fn  . . .  a  ) .  If  c  has  the 

form  (LIST  "QUOTE"  d)  then,  since  QUOTE  is  not  a  function  symbol,  d  is 
an  explicit  value  and,  thus,  so  is  c.  Otherwise,  c  has  the  form  (LIST 
"fn"  q^  ...  qn) ,  where  each  q^  is  a  quotation  the  corresponding  a^.  By 
induction  hypothesis,  each  q^  is  an  explicit  value.  Thus  c  is  an 
explicit  value.  Q.E.D. 

Theorem.  If  c  is  a  quotation  of  both  tj  and  t2  with  respect  to  T, 
then  tj  is  the  same  term  as  t2< 

Proof.  We  induct  on  the  structure  of  c. 

Base  case  I.  If  the  top  function  symbol  of  c  is  not  CONS,  then  c 
is  not  the  quotation  of  any  term  except  a  symbol.  c  cannot  be  a 
quotation  of  two  distinct  symbols. 

Base  case  2.  If  c  has  the  form  (LIST  "QUOTE"  d) ,  then  since  QUOTE 
is  not  a  function  symbol,  c  is  a  quotation  only  of  the  explicit  value  d. 

Induction  Step.  If  the  top  function  symbol  of  c  is  CONS  but  c  does 
not  have  the  form  (LIST  "QUOTE"  d),  then  for  some  fn,  q^,  ...,  qn,  c  has 
the  form  (LIST  "fn"  q^  ...  qR)  where,  by  inductive  hypothesis,  each  q^ 
is  a  quotation  of  some  unique  t^.  But  then  c  can  only  be  a  quotation  of 
the  term  (fn  t^  ...  tn) .  Q.E.D. 
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IV  THE  METATHEOREM 


A.  The  Metaaxioms  and  Metadef lnltlons 

When  we  are  trying  to  prove  the  correctness  of  a  metafunction,  we 
have  some  axioms  about  MEANING,  FORMP,  and  some  auxiliary  functions. 
These  axioms,  called  the  "metaaxioms,"  specify  the  values  of  MEANING  and 
FORMP  on  symbolic  expressions  corresponding  to  terms  in  the  current 
theory.  The  axioms  do  not  specify  the  values  of  MEANING  and  FORMP  on 
objects  that  "look  like"  symbolic  expressions  but  that  have  unrecognized 
function  symbols. 

Once  a  metafunction  has  been  proved  correct,  we  may  apply  it  as  a 
new  proof  procedure  —  even  if  new  function  symbols  have  been  added  to 
the  theory.  Formally  speaking,  its  application  involves  the 
introduction  of  definitions  of  MEANING,  FORMP,  and  some  auxiliary 
functions.  These  definition  are  called  the  "metadefinitions."  The 
definitions  not  only  specify  the  values  of  MEANING  and  FORMP  on  symbolic 
expressions  corresponding  to  terms  in  the  new  theory,  but  on  all 
explicit  values.  For  example,  FORMP  is  (FALSE)  on  any  object  that 
"looks  like"  a  symbolic  expression  but  has  an  unrecognized  function 
symbol.  But  because  the  metaaxioms  are  easy  consequences  of  the 
metadefinitions,  we  can  prove  the  correctness  of  the  metafunction  —  and 
use  it  —  in  the  new  theory. 

By  not  completely  specifying  MEANING  and  FORMP  during  the 
correctness  proof  for  a  metafunction,  we  permit  the  application  of  the 
metafunction  in  extensions  containing  new  function  symbols.  By 
introducing  MEANING  and  FORMP  under  the  principle  of  definition  when  the 
metafunction  is  used  in  the  proof  of  a  new  conjecture,  the  proof  of  the 
conjecture  does  not  depend  upon  nondef initional  axioms  about  MEANING  and 
FORMP. 
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PrtECKDlNG  PhGS  BLANK -NOT  FI  U- JED 


Assume  we  have  a  standard  ordering  of  all  symbols  and  that  TRUE, 
NOT,  IF,  and  PLUS  come  first,  in  that  order. 

Suppose  that  (a)  T  is  a  history,  (b)  TRUE,  NOT,  IF,  PLUS,  f^,  ..., 
fm  is  the  sequence  of  symbols  mentioned  as  function  symbols  in  axioms  of 
T  in  the  standard  order,  and  (c)  0,  1,  3,  2,  a^,  ...,  am  is  the  sequence 
of  the  arities  of  the  symbols  TRUE,  NOT,  IF,  PLUS,  f^,  ...,  fm* 

1 .  The  Metaaxioms 

The  metaaxioms  for  T  are  as  follows: 

(MEANING. LST  X  A) 

(IF  (NLISTP  X) 

"NIL" 

(CONS  (MEANING  (CAR  X)  A) 

(MEANING. LST  (CDR  X)  A))), 


(IMPLIES  (NLISTP  X) 

(EQUAL  (MEANING  X  A)  (LOOKUP  X  A))), 


(EQUAL  (MEANING  (LIST  "QUOTE"  X)  A) 

X), 


(IMPLIES  (NOT  (EQUAL  FN  "QUOTE")) 

(EQUAL  (MEANING  (CONS  FN  X)  A) 

(APPLY  FN  (MEANING. LST  X  A)))), 

(EQUAL  (APPLY  "TRUE"  X) 

(TRUE)), 

(EQUAL  (APPLY  "NOT"  X) 

(NOT  (CAR  X))), 

(EQUAL  (APPLY  "IF  X) 

(IF  (CAR  X)  (CADR  X)  (CADDR  X))), 


(EQUAL  (APPLY  "PLUS"  X) 

(PLUS  (CAR  X)  (CADR  X))) , 


...  and  so  on  for  all  of  the  functions  fc .  f  . 

D 9  9  ID  * 

(EQUAL  (ARITY  "TRUE")  0), 
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(EQUAL  (ARITY  "NOT")  1), 
(EQUAL  (ARITY  "IF")  3), 
(EQUAL  (ARITY  "PLUS")  2), 


...  and  so  on  for  all  of  the  symbols  "f^",  ...  ,  "f  ", 

(FORM.LSTP  X) 

(IF  (NLISTP  X) 

(EQUAL  X  "NIL") 

(AND  (FORMP  (CAR  X)) 

(FORM.LSTP  (CDR  X)))), 


(FORMP  X) 

(IF  (NLISTP  X) 

(SYMBOLP  X) 

(IF  (EQUAL  (CAR  X)  "QUOTE") 

(AND  (LISTP  (CDR  X)) 

(EQUAL  (CDDR  X)  "NIL")) 

(AND  (EQUAL  (ARITY  (CAR  X))  (LENGTH  (CDR  X))) 
(FORM.LSTP  (CDR  X))))) . 


Note  that  the  value  of  (ARITY  X)  is  unspecified  if  X  is  not 
one  of  the  LITATOMS  "TRUE",  "NOT",  "IF",  "PLUS",  "f5",  ...,  "fm". 
Further,  (FORMP  X)  is  unspecified  if  X  is  a  LISTP  and  (ARITY  (CAR  X))  is 
unspecified. 

Note  also  that  FORMP  is  more  elaborate  than  we  sketched  it  in 
the  discussion  of  CANCEL.  In  particular,  we  require  that  function  and 
variable  symbols  be  SYMBOLPs  and  that  objects  used  as  function  symbols 
have  numeric  arity  and  be  provided  with  the  proper  number  of  arguments; 
in  addition,  we  allow  the  symbolic  expression  whose  CAR  is  the  LITATOM 
"QUOTE"  and  whose  MEANING  is  defined  to  be  the  CADR  of  the  expression. 
Note  that  we  are  not  elevating  QUOTE  to  a  "function  symbol"  even  at  the 
meta  level  of  FORMP.  We  are  merely  axiomatizing  the  recursive  functions 
FORMP  and  MEANING  to  behave  in  a  certain  way  when  they  encounter  a  LISTP 
object  whose  CAR  is  (PACK  (CONS  81  (CONS  85  (CONS  79  (CONS  84  (CONS  69 
0))))>). 
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The  Metadef ini t Ions 


The  metadefinitions  for  T  are  as  follows: 


(APPLY  X  L) 

(IF  (EQUAL  X  "TRUE") 

(TRUE) 

(IF  (EQUAL  X  "NOT") 

(NOT  (CAR  L)) 

(IF  (EQUAL  X  "IF") 

(IF  (CAR  L)  (CADR  L)  (CADDR  L)) 
(IF  (EQUAL  X  "PLUS") 

(PLUS  (CAR  L)  (CADR  L)) 

(IF  (EQUAL  X  "f5") 

(f5  (CAR  L)  ...  (CAD. . .R  L)) 


(IF  (EQUAL  X  "fm") 

(fm  (CAR  L)  ...  (CAD. . .R  L)) 
(TRUE))))))), 


(MEANING. LST  X  A) 

(IF  (NLISTP  X) 

"NIL" 

(CONS  (IF  (NLISTP  (CAR  X)) 

(LOOKUP  (CAR  X)  A) 

(IF  (EQUAL  (CAAR  X)  "QUOTE") 

(CADR  (CAR  X)) 

(APPLY  (CAAR  X) 

(MEANING. LST  (CDAR  X)  A)))) 
(MEANING. LST  (CDR  X)  A))), 


(MEANING  X  A) 

(CAR  (MEANING. LST  (LIST  X)  A)), 
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(ARITY  X) 


(IF  (EQUAL  X  "TRUE") 
0 

(IF  (EQUAL  X  "NOT") 

1 

(IF  (EQUAL  X  "IF") 

3 

(IF  (EQUAL  X  "PLUS") 
2 

(IF  (EQUAL  X  "f5") 

a5 


(IF  (EQUAL  X  "fm") 
"NIL")))))), 


(FORM.LSTP  X) 

(IF  (NLISTP  X) 

(EQUAL  X  "NIL") 

(AND  (IF  (NLISTP  (CAR  X)) 

(SYMBOL?  (CAR  X)) 

(IF  (EQUAL  (CAAR  X)  "QUOTE") 

(AND  (LISTP  (CDAR  X)) 

(EQUAL  (CDDR  (CAR  X))  "NIL")) 
(AND  (EQUAL  (ARITY  (CAAR  X)) 

(LENGTH  (CDAR  X))) 
(FORM.LSTP  (CDAR  X))))) 
(FORM.LSTP  (CDR  X)))), 


(FORMP  X) 

(FORM.LSTP  (LIST  X)). 

If  T  is  an  ordinary  history,  let  MA [T]  be  the  history  that 
results  from  adding  the  metaaxioms  for  T  to  T  as  arbitrary  axioms  and 
let  MD [T ]  be  the  history  that  results  from  adding  the  metadefinitions 
for  T  to  T,  in  order,  as  (explicit  value  preserving)  definitions. 
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B.  Statement  and  Proof  of  the  Metatheorem 


For  the  remainder  of  this  section,  let  us  make  the  following 
suppositions . 

(1)  T|  is  a  constructive,  ordinary  history, 

(2)  simp  is  an  explicit  value  preserving  function  defined  in 
Tj  with  arity  1, 

(3)  in  MA[Tj]  we  can  prove  the  formula 

*META 

(IMPLIES  (FORMP  X) 

(AND  (EQUAL  (MEANING  X  ALIST) 

(MEANING  (simp  X)  ALIST)) 

(FORMP  (simp  X)))),  and 

(4)  T2  is  an  ordinary  extension  of  T^. 

It  is  our  objective  to  show  that  if  p  is  a  term  of  T2,  c  is  a 
quotation  of  p  with  respect  to  T2,  and  d  is  the  reduction  of  (simp  c), 
then  d  is  a  quotation  of  some  term  q  of  T2  with  respect  to  T2  and  (EQUAL 
p  q)  is  a  theorem  of  T2.  Thus,  while  proving  theorems  in  T2,  we  may  at 
anytime  replace  a  term  p  of  T2  with  the  dequotation  of  the  reduction  of 
the  application  of  simp  to  a  quotation  of  p.  First  we  note  a  few 
lemmas. 

Let  T  ^  ^  be  the  extension  of  Tj  that  results  from  adding  (a)  the 
applications  of  the  shell  principle  made  while  extending  T^  to  T9  and 
(b)  the  raetadef initions  for  T2  as  definitions. 

We  now  make  a  few  trivial  observations  about  11,5: 

(1)  In  Ti,5,  APPLY  may  mention  functions  that  are  undefined. 
Nevertheless,  Tj_^  is  constructive  since  T^  is 
constructive  and  in  producing  the  extension  we  added  no 
arbitrary  axioms. 

(2)  In  T1>5,  ARITY,  FORM.LSTP,  and  FORMP  are  explicit  value 
preserving. 

(3)  The  explicit  values  of  T2  are  just  the  explicit  values  of 
T1.5- 

(4)  If  t  is  reducible  with  respect  to  Tjj,  then  t  is 

reducible  with  respect  to  MD^]  and  the  reduction  of  t 
in  is  the  reduction  of  t  in  MD(T2J* 
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(5)  Finally,  c  is  a  quotation  of  t  with  respect  to  T2  if  and 
only  if  c  is  a  quotation  of  t  with  respect  to  Tj^. 

We  are  interested  in  because,  being  constructive,  it  is 

consistent  and  yet  has  the  property  proved  below.  Our  interest  in 
consistency  is  explained  in  Section  VI,  after  we  have  proved  the 
Metatheorem  and  discussed  its  use. 

Theorem  A.  If  c  is  an  explicit  value  with  respect  to  T^  5,  then 
the  reduction  of  (FORMP  c)  in  T^^  is  (TRUE)  if  and  only  if  for  some 
term  t  of  T2,  c  is  a  quotation  of  t  with  respect  to  1^5* 

The  proof  is  by  induction  on  the  structure  of  c. 

Base  case  1.  If  the  top  function  symbol  of  c  is  not  CONS,  then  the 
reduction  of  (FORMP  c)  is  the  reduction  of  (SYMBOLP  c).  But  the 
reduction  of  (SYMBOLP  c)  is  (TRUE)  if  and  only  if  for  some  symbol  w,  c 
is  "w".  But  "w"  is  a  quotation  of  w. 

Base  case  2.  If  c  is  a  term  of  the  form  (LIST  "QUOTE"  d) ,  then  the 
reduction  of  (FORMP  c)  is  (TRUE),  d  is  an  explicit  value,  and  c  is  a 
quotation  of  d. 

Induction  step.  Suppose  the  function  symbol  of  c  is  CONS  but  c 
does  not  have  the  form  (LIST  "QUOTE"  d) .  Suppose  that  the  reduction  of 
(FORMP  c)  is  (TRUE).  Then  for  some  symbol  fn  and  for  some  explicit 
values  Cj,  ...,  cn,  c  has  the  form  (LIST  ”fn"  c^  ...  cn) ,  the  reduction 
of  (ARITY  "fn")  is  n,  and  the  reduction  of  each  (FORMP  c^)  is  (TRUE). 

By  inductive  hypothesis,  there  exist  terms  tj,  ...,  tn  of  T2  such  that 
c±  is  a  quotation  of  t^  with  respect  to  Tj^.  By  the  construction  of 
the  definition  of  ARITY,  the  arity  of  fn  is  n  and  c  is  a  quotation  of 
the  term  (fn  t^  ...  tn) .  On  the  other  hand,  suppose  that  for  some  term 
t,  c  is  a  quotation  of  t.  t  must  have  the  form  (fn  t^  ...  tR)  and  c 
must  have  the  form  (LIST  "fn"  a^  ...  a^  for  some  quotations  aj,...,  aQ 
of  tj,...,  tn.  Hence  the  reduction  of  (FORMP  c)  is  (TRUE).  Q.E.D. 

If  Vp  • • • ,  vn  is  a  sequence  of  symbols,  then  the  standard  alist 
for  Vj,  . . . ,  v  is  the  term: 
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(LIST  (CONS  "vj"  Vl)  ...  (CONS  "vn"  vn) ) . 


Theorem  B.  If  c  is  a  quotation  of  t  with  respect  to  T2,  t  is  a 
term  of  T2,  and  a  is  the  standard  alist  for  any  sequence  of  variables 
that  contains  all  of  the  symbols  that  are  used  as  variables  in  t,  then 
the  following  can  be  proved  in  MD[T2]: 

(EQUAL  (MEANING  c  a) 
t). 

Proof.  We  prove  this  theorem  by  induction  on  the  structure  of  the  term 
t. 

Base  Case.  If  t  is  a  symbol,  then  c  is  "t"  and  (MEANING  "t"  a)  is 
(LOOKUP  "t"  a)  which  is  (CDR  (CONS  "t"  t))  which  is  t. 

Induction  step.  Suppose  t  has  the  form  (fn  tj  ...  tn).  If  t  is  an 
explicit  value  and  c  is  (LIST  "QUOTE"  t) ,  then  by  the  definition  of 
MEANING,  (MEANING  c  a)  is  t.  If  c  does  not  have  the  form  (LIST  "QUOTE" 
d),  then  c  has  the  form  (LIST  "fn"  qj  ...  qn) ,  where  each  qt  is  a 
quotation  of  t^.  Since  every  variable  of  any  t^  is  a  variable  of  t,  we 
have,  by  inductive  hypothesis  that  for  each  i,  (EQUAL  (MEANING  q^  a) 
t^).  Because  fn  is  a  function  symbol  used  in  an  axiom  of  T2  and  is  not 
QUOTE,  we  have  by  the  definition  of  MEANING  that 

(EQUAL  (MEANING  (LIST  "fn"  qj  ...  q  )  a) 

(fn  (MEANING  qt  a)  ...  (MEANING  qn  a))). 

Thus  we  derive 

(EQUAL  (MEANING  (LIST  "fn"  qj  ...  qn)  a) 

(fn  tL  ...  tn)). 


Q .  E .  D . 

The  Metatheorem. 

Suppose  that 
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(1)  p  is  a  term  of  T2, 

(2)  c  is  a  quotation  of  p  with  respect  to  T2,  and 

(3)  d  is  the  reduction  of  (simp  c)  in  T2. 

Then,  the  reduction  of  (FORMP  d)  in  T2  is  (TRUE),  d  is 
the  quotation  of  some  term  q  of  T2,  and  in  T2  we  can  prove 

(EQUAL  p  q) . 


Proof.  Since  c  is  a  quotation  with  respect  to  T2  of  a  term  of  T2, 

(FORMP  c)  reduces  to  (TRUE)  in  T^^  by  Theorem  A.  Because  we  can  prove 
*META  in  MA[T^]  and  because  the  metaaxioms  of  Tj^  are  each  theorems  of 
Tj  5,  we  can  prove  *META  in  Detaching  the  hypothesis  of  *META,  we 

can  prove  in  T^^  that  (FORMP  d) .  The  reduction  of  (FORMP  d)  in  T^^  is 
either  (TRUE)  or  (FALSE).  If  it  is  (FALSE),  then  T^  ^  is  inconsistent. 
But  we  have  assumed  that  T^^  is  consistent  since  it  is  constructive. 
Thus  the  reduction  of  (FORMP  d)  in  T^  ^  is  (TRUE)  and  its  reduction  in 
T2  is  (TRUE)  also. 

By  Theorem  A  there  exists  a  term  q  of  T2  such  that  d  is  a  quotation 
of  q.  Let  q  be  the  dequotation  of  d.  Let  a  be  the  standard  alist  for  a 
sequence  containing  all  of  the  variables  in  p  and  q.  Since  every  axiom 
(including  the  definitions)  of  MA[Tj]  can  be  proved  in  MD[T2J,  both 
*META  and  (FORMP  c)  can  be  proved  in  MD[T2].  Detaching  the  hypothesis 
of  *META  in  MD [T2] ,  we  derive  that  (EQUAL  (MEANING  c  a)  (MEANING  da)). 
But  since  (EQUAL  p  (MEANING  c  a))  and  (EQUAL  q  (MEANING  d  a))  by  Theorem 
B  we  obtain  (EQUAL  p  q)  in  MD[T2).  Since  MD^]  is  a  definitional 
extension  of  T2,  we  can  prove  (EQUAL  p  q)  in  T2*  Q.E.D. 
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V  OUR  IMPLEMENTATION  OF  METAFUNCTIONS 


In  the  next  three  sections  of  this  paper  we  describe  our  efficient 
implementation  of  metafunctions  in  INTERLISP  [6].  Here  are  the  steps 
in  our  description  and  the  proof  of  the  implementation's  correctness: 

(1)  We  describe  in  Section  VI  how  in  our  theorem-proving 
program  we  represent  the  terms  of  our  theories  with 
INTERLISP  objects. 

(2)  Let  (list  'QUOTE  obj)  denote  an  INTERLISP  list  of  length 
two  with  the  INTERLISP  atom  QUOTE  as  its  first  element 
and  the  INTERLISP  object  obj  as  its  second.  In  Section 
VII,  Lemma  18,  we  demonstrate,  under  the  suppositions 
and  hypothesis  of  the  Metatheorem,  that  if  (list  'QUOTE 
obj)  represents  some  explicit  value  w  of  T2,  (FORMP  w) 
reduces  to  (TRUE)  in  MD[T2]  (or,  equivalently ,  in  T^^), 
and  the  INTERLISP  machine  state  correspcr.u,  to  the 
history  T2,  then  obj  represents  a  term  of  T2. 

(3)  We  then  demonstrate  in  Section  VII,  Lemma  19,  that  if 
the  INTERLISP  machine  state  corresponds  to  any  history  T 
and  in  that  state  obj  is  an  INTERLISP  object  that 
represents  a  term  p  of  T,  then  (list  'QUOTE  obj) 
represents  a  term  in  T  that  is  a  quotation  of  p  with 
respect  to  T. 

(4)  Finally,  in  Section  VIII  we  describe  how  we  have 
arranged  so  that  if  the  INTERLISP  machine  state 
corresponds  to  any  theory  T  and  fn  is  an  explicit  value 
preserving  function  with  respect  to  T,  then  stored  in  the 
definition  cell  of  the  INTERLISP  literal  atom  lfn  is  a 
routine  such  that  if  c^,  ...,  c  are  explicit  values  of  T 
represented  by  the  INTERLISP  objects  (list  'QUOTE  objj), 

...,  (list  'QUOTE  objn) ,  and  val  is  the  INTERLISP  object 
computed  by  applying  lfn  to  obj^,  ...,  objn,  then  (list 
'QUOTE  val)  represents  the  reduction  of  (fn  Cj  ...  cR) . 

We  are  then  free  to  utilize  the  Metatheorem  in  the  following  way. 
Suppose  that  during  a  proof  in  T2  we  have  in  hand  an  INTERLISP  object 
objc  representing  some  term  p  of  T2«  By  Lemma  19,  (list  'QUOTE  objc) 
represents  some  term  c  that  is  a  quotation  of  p.  Let  objd  be  the  result 
of  applying  lsimp  to  objc.  By  our  implementation  of  lfunctions,  (list 
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'QUOTE  objd)  represents  the  term  d  that  is  the  reduction  of  (simp  c). 

From  the  Metatheorem,  we  know  that  (FORMP  d)  reduces  to  (TRUE).  From 
Lemma  18,  we  learn,  then,  that  objd  represents  some  term  q  of  T2.  From 
Lemma  19,  again,  we  learn  that  d  is  a  quotation  of  q.  Finally,  from  the 
Metatheorem,  we  learn  that  (EQUAL  p  q)  is  a  theorem  of  T2. 

Consequently,  we  may  engage  in  the  typical  theorem-prover  activities 
justified  by  "substitution  of  equals  for  equals,"  replacing  objc  with 
objd. 

The  place  in  our  theorem-prover  where  metafunctions  are  thus 
utilized  is  described  in  Section  X. 

1 
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VI  INTERLISP  REPRESENTATION  OF  TERMS 


In  this  section,  we  explain  how  we  represent  terms  in  our  theorem- 
prover . 

A.  The  Role  of  Consistency 

Before  describing  our  representation,  let  us  first  anticipate  some 
problems  we  face  and  explain  why  we  are  interested  in  consistency. 

Recall  how  we  use  the  metafunction  simp  to  simplify  a  term 
represented  by  the  INTERLISP  object  objc:  the  theorem-prover  executes 
the  routine  Isimp  on  objc,  obtains  some  INTERLISP  object  objd  as  a 
result,  and  uses  objd  in  place  of  objc. 

We  find  the  fact  that  objd  represents  a  term  to  be  remarkable  in 
light  of  all  the  invariants  a  data  object  must  satisfy  to  represent  a 
term  in  an  efficiently  implemented  theorem-prover.  To  appreciate  the 
subtlety  of  the  situation,  consider  what  might  happen  when  the  compiled 
INTERLISP  code  tor  the  theorem-prover  begins  to  operate  on  objd.  If 
objd  is  an  INTERLISP  list  cell,  our  theorem-proving  code  will  assume 
that  the  car  of  objd,  x.  Is  an  INTERLISP  literal  atom  representing  a 
function  symbol  and  may  fetch  x's  property  list  (the  left  half-word  of 
the  location  addressed  by  x)  where  information  about  the  function  is 
stored.  But  what  would  happen  if  x  were  not  a  literal  atom  —  for 
example,  what  would  happen  if  it  were  an  INTERLISP  number?  Then  the 
machine  instruction  used  to  obtain  the  property  list  might  return  an 
illegal  object  whose  use  could  lead  the  theorem-prover  to  random, 
unpredictable  behavior. 

For  efficiency,  we  do  not  check  that  objd  actually  satisfies  all 
the  properties  the  theorem-prover  requires  of  an  object  representing  a 
term;  so  what  ensures  us  that  it  does?  The  answer  is  that  we  know  that 
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the  INTERLISP  object  obtained  by  embedding  objd  in  a  QUOTE  represents  a 
term,  d,  and  that  (FORMP  d)  reduces  to  (TRUE).  We  will  prove,  in  Lemma 
18,  that  objd  must  therefore  represent  a  term. 

How  do  we  know  that  (FORMP  d)  reduces  to  (TRUE)?  One's  first 
reaction  is:  d  is  (simp  c) ,  (FORMP  c)  is  (TRUE),  and  *META  establishes 
(IMPLIES  (FORMP  c)  (FORMP  (simp  c))).  But  wait.  That  argument  only 
implies  that  (FORMP  d)  is  provably  (TRUE).  But  our  Lemma  18  requires 
that  it  reduce  to  (TRUE).  However,  as  we  argued  in  the  proof  of  the 
Metatheorera,  (FORMP  d)  must  reduce  to  (TRUE)  or  (FALSE)  and  were  it  to 
reduce  to  (FALSE)  a  constructive  theory  (namely  T^  ^)  would  be 
inconsistent . 

Let  us  consider  the  role  of  consistency  from  another  point  of  view. 
Recall  that  we  require  that  *META  be  proved  in  a  constructive 
(consistent)  theory,  T^.  Suppose  we  weakened  that  and  permitted  it  to 
be  proved  in  any  theory.  What  would  happen  if  the  theory  were 
inconsistent?  One  consequence  of  an  inconsistency  in  Tj  is  that  one 
admits  a  proof  procedure  that  might  prove  falsehoods.  But  nothing  is 
wrong  with  that  state  of  affairs,  for  if  T^  is  inconsistent,  one  may 
indeed  prove  anything  in  it.  However,  something  worse  happens.  Suppose 
the  inconsistency  permits  (FORMP  (simp  c))  to  be  proved  when  in  fact  it 
reduces  to  (FALSE).  Then  objd  will  not  in  fact  be  an  object  satisfying 
the  theorem-prover ' s  restrictions  on  terms.  Consequently,  the 
application  of  simp  may  cause  totally  unpredictable  behavior  by  the 
theorem-prover  (e.g.,  the  smashing  of  disk  files,  illegal  memory 
fetches,  loss  of  the  day's  work,  and  so  on). 

Such  catastrophic  behavior  is  a  far  cry  from  the  expectation  that 
an  inconsistent  Tj  leads  to  well-behaved  proofs  of  falsehoods.  Some 
readers  may  feel  that  the  user  of  an  inconsistent  theory  deserves  even 
catastrophic  failures.  This  is  an  ill-considered  position.  Mechanical 
theorem-provers  often  deal  with  inconsistent  theories  because  a  standard 
proof  strategy  is  to  assume  the  negation  of  what  one  desires  to  prove 
and  then  seek  to  prove  (FALSE).  The  theory  T2  in  which  one  may  apply 
simp  may  be  such  a  theory  and  cause  no  catastrophic  effects.  The  moral 


however  is  that  one  should  not  prove  the  soundness  of  one's  new  proof 
procedures  while  in  an  inconsistent  theory. 

Finally,  we  should  observe  that  we  could  have  stated  *META  so  that 
(FORM?  (simp  c))  did  not  have  to  be  proved  in  Tj  and  then  could  have 
implemented  a  run-time  check  that  objd  indeed  represents  a  term.  We 
then  could  nave  permitted  to  be  inconsistent  without  catastrophic 
consequences.  We  did  not  adopt  this  approach  because  in  most  cases  the 
proof  of  the  FORMP  part  of  *META  is  straightforward  (see  Section  IX) 
and  buys  efficiency  at  the  mere  expense  of  complicating  this  paper. 

B.  Our  Subset  of  INTERLISP 

Our  objective  in  this  section  is  to  describe  how  we  represent  terms 
in  our  theorem-prover  in  a  way  that  permits  the  efficient  implementation 
of  the  Metatheorem  without  sacrificing  efficiency  in  more  routine 
activities.  We  describe  our  representation  by  exhibiting  two  INTERLISP 
programs.  The  first  determines  whether  its  argument  represents  a  terra. 
The  second  returns  a  conventional  representation  of  the  term 
represented.  We  chose  to  describe  our  representation  with  such  programs 
because  INTERLISP  provides  a  very  succinct  way  to  describe  complicated 
INTERLISP  data  structures. 

The  INTERLISP  definitions  we  present  in  this  paper  and  our  proofs 
about  those  definitions  are  made  in  a  vastly  simplified  version  of 
INTERLISP  akin  to  Pure  Lisp.  We  do  not  specify  the  subset  precisely. 
However,  the  subset  does  have  the  following  properties. 

*  We  make  no  use  of  "destructive"  operations  such  as  SETQ, 

SET,  and  RPLACA. 

*  We  restrict  our  attention  to  INTERLISP  structures  that  are 
not  "circular." 

*  In  establishing  the  correctness  of  our  mapping  between 
terms  in  the  theory  and  INTERLISP  objects,  we  assume  we 
have  an  INTERLISP  machine  with  unlimited  resources. 

The  latter  assumption  permits  us  to  ignore  such  problems  as  running  out 

of  list  space  or  exhausting  the  machine's  stack  while  proving,  for 

example,  that  we  can  represent  every  explicit  value.  Of  course,  we  did 
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not  make  this  assumption  while  designing  the  representation,  since  the 
economical  representation  of  terms  is  one  of  our  objectives,  and  our 
theorem-prover  actually  causes  errors  and  aborts  the  proof  attempt  when 
resources  are  exhausted.  But  at  the  moment  we  are  engaged  in  the 
mathematical  exercise  of  establishing  the  correctness  of  a  mapping 
between  terms  in  our  theory  and  INTERLISP  objects  and  we  are  using 
INTERLISP  as  a  mathematical  language  to  describe  those  objects. 

We  assume  the  reader  is  familiar  with  the  standard,  primitive  LISP 
routines  such  as  cond,  cons,  car,  cdr,  and  listp.  (MACLISP  users:  read 
"consp"  for  "listp'1.) 

C.  Conventions  for  Mixing  INTERLISP  and  the  Theory 

The  syntax  of  INTERLISP  expressions  is  very  similar  to  that  of  our 
theory.  Because  we  will  often  be  referring  to  functions  in  our  theory 
and  to  INTERLISP  functions  (henceforth  called  "routines")  in  close 
proximity,  we  adopt  the  following  three  conventions  to  demark  clearly 
the  boundary  between  the  two. 

First,  despite  the  fact  that  most  INTERLISP  routines  are  spelled  in 
upper  case,  we  spell  them  in  lower  case  here.  We  will  use  upper  case 
words  to  denote  functions  in  our  theory.  Thus  (LENGTH  X)  is  a  term  in 
our  theory,  while  (length  x)  refers  to  the  value  of  the  INTERLISP 
routine  length  applied  to  the  value  of  the  variable  x. 

Second,  we  shall  adopt  the  syntactic  convention  of  writing  'w  for 
(QUOTE  w)  when  w  is  an  INTERLISP  literal  atom.  Thus,  the  INTERLISP  form 
that  might  be  written  as: 

(COND  ((EQ  I  0)  (LIST  (QUOTE  ZERO))) 

(T  (LIST  (QUOTE  ADD  1 )  (FN  (SUB1  I))))) 

will  here  be  displayed  as 

(cond  ((eq  i  0)  (list  'ZERO)) 

(T  (list  'ADD  1  (fn  (subl  i )  )  ) ) )  . 
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Third,  it  is  often  necessary  in  this  paper  to  refer  to  characters 
obtained  by  printing  certain  INTERLISP  objects.  To  indicate  the  result 
of  printing  the  value  of  an  INTERLISP  form,  we  surround  the  form  with 
vertical  bars.  Such  an  expression  is  to  be  understood  as  denoting  the 
sequence  of  characters  obtained  by  printing  the  value  of  the  enclosed 
INTERLISP  form  (with  prin4,  using  the  original  read  table  and  decimal 
radix).  Thus,  if  we  say  "We  can  prove  (EQUAL  | (cons  'ZERO  NIL) | 
(REMAINDER  X  X))",  then  we  mean  "We  can  prove  (EQUAL  (ZERO)  (REMAINDER  X 
X))".  Of  course,  to  use  the  vertical  bar  notation  in  a  context  where  a 
term  is  expected,  we  will  have  to  establish  that  the  result  of  printing 
the  value  of  the  form  denotes  a  term. 


D.  Basic  INTERLISP  Routines 


Our  representation  of  terms  will  involve  the  following  defined 
auxiliary  INTERLISP  routines: 

*  The  routine  legal .char .codes  takes  no  arguments  and  returns 
a  list,  in  ascending  numerical  order,  of  the  integers 
mentioned  in  the  definition  of  LEGAL. CHAR. CODES  in  Section 
III,  which  are  the  ASCII  codes  for  the  characters  that  we 
permit  in  symbols. 

*  The  routine  illegal -f irst . char .codes  takes  no  arguments  and 
returns  a  list,  in  ascending  numerical  order,  of  the 
integers  mentioned  in  the  definition  of 

ILLEGAL. FIRST. CHAR. CODES  in  Section  III,  which  are  the 
ASCII  codes  for  the  characters  that  may  appear  in  symbols, 
but  not  first. 

*  The  routine  legal. char .code. seq  returns  T  or  NIL  according 
to  whether  its  argument  x  has  or  does  not  have  all  of  the 
following  properties:  (i)  (listp  x) ,  (ii)  for  every  c,  if 
(member  c  x) ,  then  (member  c  ( legal . char .codes) ) ,  (iii)  it 
is  not  the  case  that  (car  x)  is  a  member  of 

( illegal . first .char .codes) ,  and  (iv)  the  cdr  of  the  last 
list  cell  in  x  is  0. 

*  The  routine  unpackO,  when  given  a  literal  atom  x,  returns  a 
list  of  the  ASCII  codes  of  the  characters  in  the  "print 
name"  of  x,  in  the  order  in  which  the  characters  occur  in 
the  print  name,  and  terminating  in  a  0  instead  of  a  NIL. 
(The  "print  name"  of  a  literal  atom  is  the  sequence  of 
characters  produced  when  the  atom  is  printed.  Thus, 
(unpackO  'ABC)  is  a  list  that  prints  as  (65  66  67  .  0).) 
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*  The  routine  packO,  when  given  an  object  x  satisfying 

( legal .char .code. seq  x),  returns  the  unique  INTERLISP 
literal  atom  atm  such  that  (unpackO  atm)  is  x. 

*  The  routine  symbolp  returns  T  or  NIL  according  to  whether 
its  argument  represents  a  symbol  in  our  logic.  The 
definition  of  symbolp  is: 

(symbolp  (lambda  (x) 

(and  (litatom  x) 

( legal .char .code .seq 

(unpackO  x) ) ) ) ) . 

Note  that  if  (symbolp  x)  holds,  then  x  is  a  literal  atom  and  its 
print  name  is  a  legal. char. code. seq.  If  (symbolp  x)  holds,  (packO 
(unpackO  x))  is  x.  Furthermore,  if  ( legal .char .code. seq  seq)  holds, 
then  (unpackO  (packO  seq))  is  equal  to  seq  and  (symbolp  (packO  seq)) 
holds.  These  are  the  basic  properties  required  of  symbolp,  packO, 
unpackO,  and  legal .char .code. seq.  INTERLISP  contains  literal  atoms  for 
which  packO  and  unpackO  are  inverses  but  which  we  do  not  use  as  symbols. 
For  example,  there  is  one  whose  print  name  is  1A2.  We  could  have 
defined  legal. char. code. seq  to  check  for  precisely  the  syntax  of  those 
objects  for  which  packO  and  unpackO  are  inverses,  but  that  would  have 
made  its  definition  far  more  complicated,  for  while  1A2  is  such  an 
object,  1E2  is  not  (it  is  l.OxlO2  =  100.0). 

As  the  user  of  our  theorem-prover  adds  definitions,  shells,  and 
other  kinds  of  axioms,  our  theorem-prover  naturally  changes  the  state  of 
the  INTERLISP  machine. 

*  The  routine  arity,  of  one  argument  x,  is  defined  so  that  if 
x  is  a  symbol  which  is  used  as  a  function  symbol  in  some 
axiom  of  the  history  represented  by  the  current  state  of 
INTERLISP,  then  arity  returns  an  INTERLISP  integer 
representing  the  number  of  arguments  that  x  takes. 

Otherwise,  (arity  x)  is  NIL. 

*  The  routine  shell. state,  of  no  arguments,  returns  an  alist 
which  incapsulates  information  about  the  uses  of  the  shell 
principle  in  the  construction  of  the  history  represented  by 
the  current  state  of  INTERLISP.  Each  member  of  the  list 
has  a  shell  constructor  function  symbol  or  a  bottom  object 
function  symbol  as  its  car.  The  cdr  is  a  list  whose  length 
is  the  number  of  arguments  of  the  function  symbol.  Each 
element  of  the  cdr  encodes  the  type  restrictions  placed  on 
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the  corresponding  argument  to  the  constructor  function. 
Recall  that  each  type  restriction  for  a  shell  can  be 
expressed  as  a  requirement  that  the  corresponding  argument 
either  be  recognized  by  one  of  a  finite  collection  of  shell 
recognizers  or  else  be  recognized  by  none  of  a  finite 
number  of  shell  recognizers.  Thus,  it  would  be  sufficient 
if  each  element  of  the  cdr  were  either  of  the  form  (ONE. OF 
.  r)  or  (NONE. OF  .  r) ,  where  r  was  a  list  of  recognizers. 
However,  for  convenience  we  define  r  to  be  the  list  of  all 
constructor  and  bottom  object  function  symbols  recognized 
by  the  recognizers  in  question. 

*  The  routine  addl.nest  takes  a  nonnegative  integer  x  as  its 
argument  and  it  returns  an  object  that  prints  as  (ZERO)  for 
0,  (ADD  1  (ZERO))  for  1,  (ADD  1  (ADD1  (ZERO)))  for  2,  and  so 
on.  Its  definition  is 


( addl .nest 
(lambda  ( i) 

(cond  ((equal  i  0)  (list  'ZERO)) 

(T  (list  'ADD1  (addl.nest  (subl  i))))))). 


*  The  routine  bminus ,  if  given  an  argument  representing  an 
integer  x,  returns  a  INTERLISP  representation  of  the 
negative  of  x. 

*  The  routine  baddl,  if  given  an  argument  representing  an 
integer  x,  returns  a  INTERLISP  representation  of  x+1. 

*  The  routine  plistp  returns  T  or  NIL  according  to  whether  or 
not  its  argument  is  a  (possibly  empty)  list  whose  final  cdr 
is  NIL.  Its  definition  is 

(plistp  (lambda  (x) 

(cond  ((nlistp  x)  (eq  x  NIL)) 

(T  (plistp  (cdr  x)))))). 


E.  Global  Variables 

For  our  representation  of  terms,  we  have  assigned  distinct  values 
to  three  INTERLISP  global  variables  It,  If,  and  lsqm.  Each  value  is  an 
INTERLISP  literal  atom,  and  none  of  the  values  represents  a  symbol  in 
the  logic  (i.e.,  (symbolp  It),  (symbolp  If)  an'  (symbolp  lsqm)  are  all 
NIL).  The  role  of  these  variables  is  explained  below.  By  choosing 
names  that  begin  with  digits  we  are  guaranteed  that  these  INTERLISP 
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variables  never  have  the  same  names  as  variables  in  our  logic.  This 
plays  a  minor  role  in  the  efficient  compilation  of  explicit  value 
preserving  functions. 

F.  The  Definition  of  Terms 

Roughly  speaking  we  shall  represent  variables  as  symbolps  and 
function  applications  as  lists  in  which  the  car  is  the  function  symbol 
and  the  cdr  is  the  list  of  the  appropriate  number  of  argument  terms. 
However,  we  wish  to  encode  explicit  value  terms  efficiently.  For 
example,  we  prefer  to  represent  the  explicit  value  term 

(CONS  (PACK  (CONS  78  (CONS  79  (CONS  84  0)))) 

(CONS  (PACK  (CONS  80  0)) 

(PACK  (CONS  78  (CONS  73  (CONS  76  0)))))), 

which  may  be  abbreviated  by: 

(LIST  "NOT"  "P") 

with  the  INTERLISP  list  constant  that  prints  as  (QUOTE  (NOT  P)>.  There 
are  two  reasons:  we  consume  much  less  space,  and  if  constants  in  the 
theory  are  represented  efficiently  by  INTERLISP  constants  then  we  can 
choose  to  represent  terras  in  our  program  by  INTERLISP  constants  which 
simultaneously  represent  constants  in  our  theory  and  facilitate  the 
efficient  application  of  metafunctions  to  formulas. 

For  example,  we  can  represent  some  NUMBERPs  and  NEGATIVEPs  by 
INTERLISP  integers,  some  LITATOMs  by  INTERLISP  literal  atoms,  and  some 
LISTPs  by  INTERLISP  lists.  Of  course,  we  cannot  use  the  INTERLISP 
literal  atom  'P  to  represent  both  the  variable  P  and  the  explicit  value 
(PACK  (CONS  80  0)).  So  we  use  'P  to  represent  the  variable  P  and  the 
value  of  (list  'QUOTE  'P)  to  represent  (PACK  (CONS  80  0)). 

Similarly,  if  the  value  of  (list  'QUOTE  ob j ^ )  represents  some 
explicit  value  term  t^  and  the  value  of  (list  'QUOTE  obj2)  represents 
some  explicit  value  term  t2,  then  the  value  of  (list  'QUOTE  (cons  objj 
obj2))  represents  the  explicit  value  term  (CONS  tj  t2).  To  obtain  the 
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CAR  of  (CONS  t^  t£)  from  its  representation,  we  apply  car  to  (cons  ob j ^ 
obj2).  To  obtain  the  UNPACK  of  (PACK  (CONS  80  0))  from  its 
representation,  we  apply  unpackO  to  to  'P.  However,  we  must  address 
three  problems. 

The  first  problem  concerns  the  precise  choice  of  our  representation 
of  LITATOMs.  The  reason  LITATOMs  must  be  represented  efficiently  is 
that  they  are  used  by  FORMP  to  stand  for  function  and  variable  symbols. 
Thus,  the  internal  representation  of  a  L1TAT0M  satisfying  SYMBOLP  must 
be  an  INTERLISP  object  the  theorem-prover  can  use  as  a  function  or 
variable  symbol.  But  to  implement  a  theorem-prover  efficiently  one's 
function  and  variable  symbols  should  be  distinguishable  by  eq  (in  one 
machine  instruction)  and  have  property  lists.  The  obvious  candidates 
are  literal  atoms.  So  certain  LITATOMs  are  represented  by  INTERLISP 
literal  atoms.  But  for  theoretical  simplicity  we  allow  a  LITATOM  to  be 
constructed  from  any  object  (e.g.,  (PACK  1200)  is  a  LITATOM  in  the 
theory) ,  while  INTERLISP  requires  that  literal  atoms  be  constructed  only 
from  lists  of  ASCII  codes  so  that  they  are  "printable."  To  represent 
the  theory's  "unprintable"  LITATOMs  we  will  use  the  structures  described 
below  for  user-defined  shells.  Thus,  there  are  two  distinct  ways 
LITATOMs  are  represented,  but  any  given  LITATOM  will  be  represented  in 
only  one  of  the  ways,  depending  on  whether  it  is  a  SYMBOLP. 

The  second  problem  is  that  while  certain  shell  constants  in  the 
theory  (e.g.,  some  NUMBERPs,  LITATOMs,  and  LISTPs)  have  obvious 
INTERLISP  representatives,  others  (e.g.,  (TRUE),  (FALSE),  and  user- 
defined  shells  such  as  stacks  or  triples)  do  not.  We  could  use  the 
INTERLISP  "user  data  type"  facility  to  declare  a  new  INTERLTSP  type  for 
each  of  these  unusual  types  in  the  theory.  But  this  is  unacceptable 
because  (a)  every  user  data  type  is  initially  allocated  512  words  of 
storage,  regardless  of  how  many  items  of  that  type  are  required,  (b) 
having  additional  data  types  in  use  slows  down  garbage  collections,  (c) 
the  efficiently  compiled  and  widely  used  INTERLISP  routine  equal  does 
not  work  on  user  data  types,  and  (d)  INTERLISP  user  data  types  do  not 
print  out  or  read  in  conveniently. 
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We  shall  therefore  encode  user-defined  shell  constants  as  INTERLISP 
list  structures  containing  the  name  of  the  constructor  (or  bottom 
object)  and  the  n-tuple  of  objects  representing  the  explicit  value 
arguments.  But  such  a  list  structure  could  be  confused  with  the 
representation  of  a  LISTP  containing  rri-1  objects.  To  avoid  ambiguity, 
we  cons  the  value  of  lsqm  (which  stands  for  "shell  quote  mark")  onto  the 
front  of  the  structure.  This  marking  scheme  avoids  ambiguity  because 
lsqm  is  not  the  internal  representation  of  any  explicit  value  —  in 
particular  it  does  not  satisfy  symbolp  and  so  does  not  represent  a 
L1TAT0M  —  so  a  list  with  lsqm  as  its  car  could  not  possibly  represent  a 
LISTP  whose  CAR  was  represented  by  lsqm.  For  example,  if  TRIPLE  is  a 
user-defined  shell  constructor,  then  the  explicit  value  (TRIPLE  1  (PACK 
(CONS  80  0))  2)  is  represented  by  the  value  of  (list  lsqm  'TRIPLE  1  'P 
2),  embedded  in  a  QUOTE  form. 

We  could  represent  (TRUE)  and  (FALSE)  similarly  —  for  example, 
(TRUE)  could  be  represented  by  the  value  of  (list  lsqm  'TRUE),  embedded 
in  a  QUOTE  form  —  but  that  would  be  very  inefficient  because  (TRUE)  and 
(FALSE)  are  constantly  tested  against  in  tight  loops  in  the  theorem- 
prover.  Instead,  we  represent  (TRUE)  and  (FALSE)  with  (the  values  of) 
the  variables  It  and  If,  embedded  in  QUOTE  torms.  These  values  cannot 
be  mistaken  as  representing  LITATOMs  in  the  theory  even  though  they  are 
literal  atoms  in  INTERLISP. 

The  third  problem  is  the  finite  limitations  imposed  by  INTERLISP 
(and  all  programming  languages).  For  example,  no  INTERLISP  literal  atom 
can  have  more  than  125  characters,  nor  can  any  integer  require  more  than 
36  bits  to  represent  it.  In  this  paper  we  pretend  INTERLISP  imposed  no 
such  limits.  To  ensure  the  correctness  of  our  program,  we  have  designed 
it  to  cause  errors  (which  result  in  the  abortion  of  any  proof  attempt) 
when  the  finite  limitations  of  INTERLISP  are  reached.  Thus,  for 
example,  we  use  our  own  baddl  routine  for  adding  one  to  an  integer  — 
and  causing  an  error  if  the  result  is  unrepresentable  —  rather  than  use 
the  built-in  routine  addl  which  returns  an  inaccurate  answer  on 
overflow. 
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We  now  make  the  foregoing  sketch  precise.  An  INTERLISP  object  obj 
is  a  called  an  INTERLISP  term  if  (termp  obj)  is  non-NIL.  Below  we 
define  termp  and  its  subroutine  evg  (for  "explicit  value  guts")  which 
recognizes  the  INTERLISP  objects  that  may  be  embedded  in  QUOTES  to 
represent  explicit  value  terms. 


( termp 

(lambda  (x) 

(cond 

((nlistp  x) 

(symbolp  x)) 

( (eq  (car  x) 

'QUOTE) 

(and  (listp  (cdr  x)) 

(null  (cddr  x)) 

(evg  (cadr  x)))) 

(T  (and  (plistp  (cdr  x)) 

(equal  (length  (cdr  x)) 

(arity  (car  x))) 

(for  z  in  (cdr  x)  always  (termp  z) )))))). 


We  define  (evg  y)  so  that  if  y  is  an  INTERLISP  object  that,  when 
embedded  in  a  QUOTE,  represents  some  explicit  value  term  v,  then  (evg  y) 
is  the  top-level  function  symbol  of  v.  Otherwise,  (evg  y)  is  NIL. 


(evg 

(lambda  (y) 

(cond  ((nllstp  y) 

(cond  ( (f ixp  y) 

(cond  ((lessp  y  0)  (quote  MINUS)) 

((equal  y  0)  (quote  ZERO)) 

(T  (quote  ADD  1 ) ) ) ) 

( (eq  y  It) 

(quote  TRUE)) 

((eq  y  If) 

(quote  FALSE)) 

((symbolp  y) 

(quote  PACK)) 

(T  NIL))) 

((eq  (car  y)  lsqm) 

( cond 

((and  (listp  (cdr  y)) 

(plistp  (cdr  y)) 

(equal  (length  (cddr  y)) 

(arity  (cadr  y))) 

(assoc  (cadr  y) 

( shell .state) ) 

(for  z  in  (cddr  y)  always  (evg  z)) 

(for  restriction  in  (cdr  (assoc  (cadr  y) 

(shell. state) ) ) 

as  arg  in  (cddr  y)  always 

(cond  ((eq  (car  restriction)  'ONE. OF) 

(member  (evg  arg) 

(cdr  restriction))) 

(T  (not  (member  (evg  arg) 

(cdr  restriction)))))) 

(cond 

((eq  (cadr  y)  (quote  PACK)) 

(not  (legal. char. code. seq  (caddr  y)))) 

( (eq  (cadr  y)  (quote  MINUS)) 

(equal  (caddr  y)  0)) 

(T  (not  (member  (cadr  y) 

(quote  (ADD1  ZERO  CONS))))))) 

(cadr  y)) 

(T  NIL))) 

((and  (evg  (car  y)) 

(evg  (cdr  y))) 

(quote  CONS)) 

(T  NIL)))) 


The  puzzled  reader  should  be  reminded  that  termp  and  evg  are  only 
used  to  say  precisely  how  we  represent  terms.  The  theorem-prover  only 
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calls  termp  once  when  a  term  Is  submitted  to  it  by  the  user.  Internal 
subroutines  know  what  terms  look  like  —  indeed,  it  is  to  make  these 
internal  subroutines  efficient  that  termp  is  so  complicated.  As  for  the 
correctness  of  metafunctions,  all  we  have  to  prove  is  that  when  given 
FORMPs  they  return  FORMPs .  The  careful  reader  will  note  that  FORMP  is 
considerably  simpler  than  termp  —  in  particular  there  is  nothing 
corresponding  to  the  ghastly  evg.  The  fact  that  a  QUOTEd  evg  can  be 
proved  to  be  a  FORMP  if  and  only  if  the  evg  itself  is  a  termp  is  what  we 
have  to  prove  once  and  for  all  as  Lemma  18. 

G.  Solidification 

We  now  specify  what  term  in  the  theory  is  represented  by  a  given 
INTERLISP  term.  Given  an  INTERLISP  term  x,  the  routine  s  (for 
"solidify")  returns  an  INTERLISP  object  that  when  printed  is  the  term 
represented  by  x,  displayed  without  any  abbreviations.  The  subroutine 
sevg  ("solidify  explicit  value  guts")  computes  the  explicit  value  term 
represented  by  an  evg  object.  These  two  routines  are  never  used  by  the 
theorem-prover .  They  are  defined  only  to  make  precise  the  map  from 
INTERLISP  terms  to  terms  in  the  theory. 

(s 

(lambda  (x) 

(cond 

((nlistp  x) 
x) 

((eq  (car  x)  'QUOTE) 

(sevg  (cadr  x) ) ) 

(T  (cons  (car  x) 

(for  z  in  (cdr  x)  collect  (s  z))))))) 
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(sevg 

(lambda  (y) 

(cond 

( (nlistp  y) 

(cond 

( ( litatom  y ) 

(cond 

( (eq  y  It ) 

(quote  (TRUE))) 

( (eq  y  if) 

(quote  (FALSE))) 

(T  (list  (quote  PACK) 

(sevg  (unpackO  y)))))) 

(  (lessp  y  0) 

(list  (quote  MINUS) 

(addl.nest  (bminus  y)))) 

(T  ( addl . nest  y ) ) ) ) 

((eq  (car  y) 

I  sqm) 

(cons  (cadr  y) 

(for  z  in  (cddr  y)  collect  (sevg  z)))) 
(T  (list  (quote  CONS) 

(sevg  (car  y)) 

(sevg  ( cdr  y))))))) 


H.  Some  Example  INTERLISP  Terms  and  Sol id if ic at ions 

Suppose  that  the  value  of  lsqm  is  the  INTERLISP  literal  atom  1SQM 
(which  could  not  represent  a  symbol  because  it  has  a  digit  as  its  first 
character).  Below  we  exhibit,  in  the  left-hand  column,  some  sample 
INTERLISP  objects  (as  printed  by  prin4)  and,  in  the  right-hand  column, 
the  corresponding  term  in  our  theory.  In  the  taole  we  have  printed  some 
of  the  ADD  1-nests  as  integers  even  though  |  (s  x)  |  never  actually 
contains  integers. 
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X 


I  (s  x)  I 


(PLUS  (QUOTE  1)  X)  (PLUS  (ADD  1  (ZERO))  X) 

(FN  (QUOTE  (A  .  B)))  (FN  (CONS  (PACK  (CONS  65  0)) 

(PACK  (CONS  66  0)))) 


(QUOTE  ( 1  SQM  PACK  2))  (PACK  (ADD1  (ADD1  (ZERO)))) 


(QUOTE  0) 


(ZERO) 


(QUOTE  (QUOTE  0))  (CONS 

(PACK 
(CONS  81 
(CONS  85 
(CONS  79 

(CONS  84  (CONS  69  0)))))) 
(CONS  (ZERO) 

(PACK 
(CONS  78 

(CONS  73  (CONS  76  0)))))) 


(ZERO)  (ZERO) 

(QUOTE  (ZERO))  (CONS 

(PACK 
(CONS  90 

(CONS  69 

(CONS  82  (CONS  79  0))))) 

(PACK 

(CONS  78  (CONS  73  (CONS  76  0))))) 


Displayed  with  some  abbreviations,  the  last  four  entries  in  the 
tabie  are: 


x 

(QUOTE  0) 

(QUOTE  (QUOTE  0)) 
(ZERO) 

(QUOTE  (ZERO)) 


I (s  x)  | 

(ZERO) 

(LIST  "QUOTE"  (ZERO)) 
(ZERO) 

(LIST  "ZERO") 
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These  examples  are  included  to  encourage  the  reader  to  think  about 
our  claim  that  if  obj  represents  the  term  t,  tnen  the  result  of 
embedding  obj  in  a  QUOTE  represents  a  term  whose  MEANING,  under  the 
standard  alist  for  the  variables  in  t,  is  t.  Note  that  (QUOTE  0) 
represents  the  term  (ZERO);  the  result  of  embedding  (QUOTE  0)  in  a  QUOTE 
is  (QUOTE  (QUOTE  0)),  which  represents  the  term  (LIST  "QUOTE"  (ZERO)). 

As  claimed,  the  MEANING  of  (LIST  "QUOTE"  (ZERO))  is  (ZERO).  But  the 
INTERLISP  list  that  prints  as  (ZERO)  is  also  a  termp  that  represents 
(ZERO).  The  result  of  embedding  (ZERO)  in  a  QUOTE  is  (QUOTE  (ZERO)), 
which  represents  the  term  (LIST  "ZERO").  (LIST  "ZERO")  and  (LIST 
"QUOTE"  (ZERO))  are  two  distinct  explicit  values  and  are  thus  not  EQUAL. 
Nevertheless,  the  MEANING  of  (LIST  "ZERO")  is  (ZERO). 


VII  PROOFS  OF  THE  LEMMAS 


A.  Lemmas  _1  Through  _7 

The  first  important  lemma  is  Lemma  4,  which  establishes  that  every 
INTERLISP  term  actually  represents  a  term  in  the  logic.  Lemma  4 
guarantees  that  | (s  obj)|  is  a  term  in  our  theory  when  (termp  obj)  is 
non-NIL.  Lemma  5  states  that  if  obj  is  an  INTERLISP  term,  then  (list 
'QUOTE  obj)  is  an  INTERLISP  term. 

We  will  first  state  and  prove  a  very  simple  lemma  as  a  warm-up 
exercise . 

Lemma  J_  ("addl  .nest  of  an  integer  is  _a  term")  .  If  i  is  a 
nonnegative  INTERLISP  integer,  then  | (addl. nest  i) |  is  a  term. 

First  consider  an  example.  If  i  is  the  INTERLISP  integer  3  then 
((addl. nest  i) |  is  the  explicit  value  term  (AUDI  (AUDI  (ADDI  (ZERO)))). 

Proof.  We  prove  Lemma  1  by  induction  on  i. 

Base  case.  It  i  is  0,  (addl. nest  i)  returns  the  value  of  (list 
'ZERO),  which  prints  as  (ZERO). 

Induction  step.  If  i  is  an  integer  greater  than  0,  we  may 
inductively  assume  that  | (addl. nest  (subl  i))|  is  a  term.  Then 
| (addl. nest  i)  j  is  | (list  'ADDI  (addl. nest  (subl  i)))|  which  is  (ADDI 
| (addl. nest  (subl  i))|),  which  is  a  well-formed  term  since  ADDI  is  a 
function  symbol  of  one  argument  and  the  argument,  | (addl. nest  (subl 
i))|,  is  a  term  by  inductive  hypothesis.  Q.E.D. 

Lemma  2  ( "sevg  of  a  list  of  integers  is  _a  term" ) .  If  obj  is  an 
INTERLISP  list  of  nonnegative  integers  whose  final  CDR  is  0,  then  | (sevg 
obj )  |  is  a  term. 

Consider  another  example.  If  obj  is  an  INTERLISP  list  which  prints 
as 


j 


then  | (sevg  obj)|  is  the  term 


(CONS  (ADD1  (ZERO))  (CONS  (ADD  1  (ADD1  (ZERO)))  (ZERO))), 
or  more  succinctly,  using  the  abbreviations  of  the  theory, 

(CONS  1  (CONS  20)), 

Proof.  The  proof  is  by  induction  on  the  size  of  obj • 

Base  case.  If  obj  is  not  a  cons,  then  it  must  be  0.  But  | (sevg 
0)|  is  |(addl.nest  0)|,  which  is  a  term  by  Lemma  1  ("addl.nest  of  an 
integer  is  a  term"). 

Induction  step.  If  obj  is  a  cons,  then  (car  obj)  is  a  nonnegative 

integer  and  | (sevg  (cdr  obj ) )  |  is  a  term,  by  inductive  hypothesis. 

Since  (car  obj)  is  not  lsqm  (because  lsqm  is  not  an  integer), 

| (sevg  ob j )  |  =  |  (list  'CONS  (sevg  (car  obj))  (sevg  (cdr  obj ) ) )  | 

=  | (list  'CONS  (addl.nest  (car  obj)) 

( sevg  (cdr  obj )  ) )  | 

=  (CONS  | (addl.nest  (car  obj ) )  | 
j  (sevg  (cdr  obj) )  |  )  , 

which  is  a  term  since  CONS  is  a  function  symbol  of  two  arguments  and 
both  arguments  in  the  CONS-expression  above  are  themselves  terms  by 
Lemma  1  ("add. nest  of  an  integer  is  a  term")  and  our  induction 
hypothesis.  Q.E.D. 

Lemma  _3  ( "sevg  of  an  evg  is  a  term") .  If  (evg  obj)  is  non-NIL, 

then  | (sevg  obj)|  is  a  term.  (In  fact,  | (sevg  ob j ) |  in  this  case  is  an 

explicit  value  term,  but  we  will  prove  that  later.) 

Proof.  We  induct  on  the  size  of  obj. 

Base  case.  Suppose  that  obj  is  not  a  cons.  By  the  definition  of 
evg,  obj  must  therefore  be  an  integer  (i.e.,  recognized  by  fixp),  It, 

If,  or  a  symbolp.  (a)  If  obj  is  an  integer,  | (sevg  obj) |  is  either 
I (addl.nest  obj)  |  or  (MINDS  [(addl.nest  (bminus  obj ) ) I ) ,  both  of  which 
are  terms  by  Lemma  1  ("addl.nest  of  a  integer  is  a  term").  (b)  If  obj 


j 
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is  It  or  Lf,  then  | (sevg  ob j )  |  is  (TRUE)  or  (FALSE),  both  of  which  are 
terms.  (c)  If  (symbolp  ob j )  then  we  also  have  (litatom  obj)  and  thus 
| (sevg  ob j )  |  is  (PACK  | (sevg  (unpackO  obj ) )  | ) .  But  since  (unpackO  obj) 
is  an  INTERLISP  list  of  nonnegative  integers  whose  final  cdr  is  0,  Lemma 
2  ("sevg  of  a  list  of  integers  is  a  term")  tells  us  | (sevg  (unpackO 
obj  )  )  |  is  a  term.  Hence  (PACK  j (sevg  (unpackO  obj))|'  is  a  term. 

Induction  step.  Suppose  obj  is  a  cons.  We  inductively  assume  that 
| (sevg  obj') |  is  a  term  whenever  obj'  is  an  INTERLISP  object  such  that 
(evg  obj')  holds  and  obj'  is  smaller  than  obj  (as  measured  by  the 
INTERLISP  routine  count).  (a)  if  the  car  of  obj  is  lsqm,  then,  by  our 
(evg  obj)  hypothesis,  obj  must  have  the  form  (lsqm  fn  arg^  ...  argn) , 
where  fn  is  a  constructor  function  symbol  or  bottom  object  function 
symbol  and  n  is  the  arity  of  fn  and  (evg  arg^)  holds  for  each  arg^ 

I (sevg  ob j ) |  is  (fn  | (sevg  arg^)|  ...  | (sevg  argn)|),  which  is  a  term  by 
the  induction  hypothesis.  (b)  If  car  of  obj  is  not  lsqm,  then  we  have 
(evg  (car  obj))  and  (evg  (cdr  obj))  and  therefore,  by  our  induction 
hypotheses,  |  (sevg  (car  ob j  ) )  |  and  | (sevg  (cdr  ob j ) )  |  are  terms.  But 
| (sevg  obj)  |  is  (CONS  | (sevg  (car  ob j ) )  |  | (sevg  (cdr  obj ) )  | ) ,  which  is 

also  a  term.  Q.E.D. 

Lemma  _4  ("s  of  a  termp  is  a  term").  If  (termp  obj),  then  | (s 
obj ) |  is  a  term. 

Proof.  We  induct  on  the  size  of  obj. 

Base  case.  Given  that  obj  is  not  a  cons  and  (termp  obj)  is  non- 
NIL,  we  know  (symbolp  obj).  Thus,  1 ob j |  (i.e.,  the  print  name  of  obj) 

is  a  character  sequence  satisfying  the  restrictions  on  variable  symbols 
in  our  logic.  But  |  (s  obj)|  is  | obj |  and  thus  a  term  (in  particular,  a 
variable) . 

Induction  step.  Suppose  obj  is  a  cons.  (a)  If  (car  obj)  is 
'QUOTE,  then  (termp  obj)  implies  that  obj  must  have  the  form  (QUOTE 
obj')  where  (evg  obj').  | (s  obj)|  is  then  | (sevg  obj ' )  |  ,  which  is  a 
term  by  Lemma  3  ("sevg  of  an  evg  is  a  term").  (b)  If  (car  obj)  is  not 
'QUOTE,  then  obj  has  the  form  (fn  argj  ...  argn)  where  n  is  the 
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nonnegative  arity  of  the  function  symbol  fn  and  (termp  arg^)  for  each  i. 
| (s  obj)|  is  (fn  | (s  arg^)|  ...  j  (s  argn)|),  which  is  a  term  since  each 
| (s  argi) |  is  inductively  a  term.  Q.E.D. 

Lemma  _5  ("QUOTEd  term  is  a  term").  If  (termp  ob j )  ,  then  (termp 
(list  'QUOTE  obj) )  . 

Proof.  By  the  definition  of  termp,  (termp  (list  'QUOTE  obj))  is 
equivalent  to  (evg  obj).  Thus  it  suffices  to  show  that  (termp  obj) 
implies  (evg  obj). 

The  proof  is  by  induction  on  the  size  of  obj. 

Base  case.  Suppose  obj  is  not  a  cons.  Then  from  (termp  obj),  we 
have  (symbolp  obj),  which  guarantees  (evg  obj). 

Induction  step.  Suppose  obj  is  a  cons. 

(a)  If  (car  obj)  is  'QUOTE,  then,  by  (termp  obj),  we  have  (listp 
(cdr  obj)),  (evg  (cadr  obj))  and  tnat  (cddr  obj)  is  NIL.  Since  (car 
obj)  is  not  Isqm,  (evg  obj)  is  equivalent  to  the  conjunction  of  (evg 
(car  obj))  and  (evg  (cdr  obj)).  The  first  is  immediate.  The  second  is 
equivalent  to  the  conjunction  of  (evg  (cadr  obj))  and  (evg  (cddr  obj)) 
(both  of  which  are  also  immediate)  provided  (cadr  obj)  is  not  lsqm.  But 
(cadr  obj)  cannot  be  lsqm  because  (evg  (cadr  obj))  is  non-NIL,  while 
(evg  lsqm)  is  NIL  (because  lsqm  is  a  literal  atom,  distinct  from  It  and 
If,  and  not  a  symbolp). 

(b)  If  (car  obj)  is  not  'QUOTE,  then  obj  has  the  form  (fn  argj 

...  argn) ,  where  n  is  the  length  of  (cdr  obj),  (arity  fn)  is  n,  and 

(termp  arg^)  for  each  i.  Provided  neither  fn  nor  any  argH  is  lsqm,  (evg 

obj)  is  equivalent  to  the  conjunction  of  (evg  fn),  (evg  argj),  ...,  (evg 

argn)  ,  and  (evg  NIL).  But  (evg  fn)  follows  from  the  fact  that  (arity 
fn)  is  (length  (cdr  obj)),  which  is  a  nonnegative  integer,  and  (arity 
fn)  is  a  nonnegative  integer  only  if  (symbolp  fn).  Each  (evg  arg^) 
follows  from  our  inductive  hypotheses  and  (termp  arg^)  .  (evg  NIL)  is 
immediate.  Thus,  we  must  show  that  neither  fn  nor  any  arg^  is  Isqm. 

But  since  (evg  lsqm)  is  NIL,  this  must  be  the  case.  Q.E.D. 
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Lemma  6  ("unique  representation  of  explicit  values").  For  each 
explicit  value  term  t,  there  exists  (modulo  INTERLISP  equality)  exactly 
one  INTERLISP  object  v  such  that  (evg  v)  is  non-NIL  and  | (sevg  v) |  is  t. 

We  do  not  prove  this  lemma  here.  The  proof,  by  induction  on  the 
structure  of  explicit  values,  is  tedious  but  straightforward.  We 
indicate  how  the  proof  goes  by  considering  the  case  for  an  explicit 
value  of  the  form  (CONS  t^  t2).  By  induction  hypothesis,  the  explicit 
values  t^  and  t2  are  uniquely  represented,  say  by  v^  and  V2*  The 
existence  part  of  the  proof  is  easy.  The  evg  (cons  v^  V2)  represents 
(CONS  t^  t2):  since  v^  is  an  evg,  it  is  not  lsqm  and  so  | (sevg  (cons  Vj 

v2))|  is  (CONS  | (sevg  v^)|  | (sevg  V2>|)  which  is  (CONS  t^  t2>.  The 

uniqueness  argument  is  more  tedious.  Suppose  that  for  some  evg  v  not 
equal  to  (cons  v^  V2),  | (sevg  v) |  is  (CONS  t^  t2)>  Consider  the 
structure  of  v.  Suppose  v  is  not  a  list.  Then  the  function  symbol  of 
I (sevg  v) |  is  either  TRUE,  FALSE,  PACK,  MINUS,  ADD  1 ,  or  ZERO, 

contradicting  the  assumption  that  it  is  CONS.  Suppose  v  is  a  list  whose 

car  is  lsqm.  Then  the  cadr  of  v  must  be  CONS  since  the  function  symbol 
of  |  (sevg  v) |  is  CONS.  But  (evg  v)  requires  that  the  cadr  of  such  a  v 
not  be  CONS,  so  such  a  v  is  not  an  evg.  Thus,  v  must  be  a  list  whose 
car  is  not  Lsqm.  But  then  its  car  must  be  an  evg  representing  tj  and 
its  cdr  an  evg  representing  t2«  v^  and  V2  are  the  only  evgs  with  that 
property.  Thus,  v  is  equal  to  (cons  v^  V2). 

In  general,  the  key  to  the  uniqueness  argument  is  that  evg  checks 
that  lsqm  is  not  used  to  "counterfeit"  terms  that  have  more  efficient 
representations.  Thus,  (list  lsqm  'CONS  v^  V2),  the  counterfeit 
representation  of  (CONS  t^  1 to  be  30  ev8*  Similarly,  evg 
checks  that  lsqm  is  not  used  to  represent  ADD  1  terms,  (ZERO),  PACK  terms 
of  LEGAL. CHAR. CODE. SEQs,  or  MINUS  terms  other  than  (MINUS  0). 

We  next  prove  a  result  similar  to  but  stronger  than  Lemma  3  ("sevg 
of  an  evg  is  a  term"). 

Lemma  _7  ( "sevg  of  an  evg  is  an  explicit  value") .  If  (evg  v)  then 
| (sevg  v) |  is  an  explicit  value  term. 
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Proof.  By  Lemma  3  we  know  | (sevg  v) |  is  a  term.  To  prove  that  it 
is  an  explicit  value  term  we  must  prove  that  (i)  there  are  no  variables 
in  it,  (ii)  there  are  no  function  symbols  other  than  TRUE,  FALSE,  and 
shell  constructor  and  bottom  object  function  symbcls,  and  (iii)  if  the 
term  t  occurs  as  the  ith  argument  to  some  constructor  function  const  in 
| (sevg  v) | ,  then  the  function  symbol  of  t  must  be  one  of  those 
recognized  (or,  depending  on  the  type  restriction,  not  recognized)  by 
the  finite  set  of  recognizers  specified  for  the  ith  component  of  const. 

The  proof  of  each  of  these  facts  is  by  induction  on  the  size  of  v. 
Proving  that  |  (sevg  v)  |  contains  no  variables  is  immediate  from 
inspection  of  sevg  and  one's  inductive  hypotheses.  Proving  that  all  the 
function  symbols  are  as  specified  by  (ii)  is  immediate  from  inspection 
of  sevg  and  induction  except  for  the  case  where  v  is  a  list  whose  car  is 
lsqm.  In  this  case  (sevg  v)  is  (cons  (cadr  v)  ...)  and  so  might  appear 
to  have  an  arbitrary  function  symbol  when  printed.  But  (evg  v)  ensures 
us  that  (cadr  v)  is  a  shell  constructor  or  bottom  object,  since  it  must 
be  found  on  ( shell . st ate ) .  As  for  (iii),  there  are  three  interesting 
cases:  | (sevg  v) |  is  an  (ADD1  ...),  a  (MINUS  •••),  or  a  user-defined 
shell  constructor  term.  No  other  primitive  shells  have  type 
restrictions  on  their  components.  A  trivial  case  analysis  shows  that 
addl.nest  produces  only  terras  satisfying  NUMBERP,  so  the  first  two  cases 
are  immediate.  When  the  third  case  obtains,  the  car  of  v  is  lsqm  and  we 
must  prove  that  the  function  symbol  of  each  of  the  arguments  satisfies 
the  corresponding  type  restriction.  But  (evg  v)  checks  precisely  that 
by  insuring  that  the  function  symbol  of  each  argument  is  a  member  of 
(or,  depending  on  the  type  restriction,  not  a  member  of)  the  finite  set 
specified  by  (shell. state) .  Q.E.D. 

B.  Lemmas  _8  Through  18 

We  now  prove  a  series  of  lemmas  that  let  us  move  from  reductions  in 
a  history  to  computations  in  INTERLISP.  Our  main  goal  in  this  section 
is  Lemma  18. 
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Lemma  J3  ("LISTP  iff  listp  and  not  lsqm11).  If  (evg  x)  ,  then  the 
reduction  of  (LISTP  | (sevg  x)|)  is  (TRUE)  if  and  only  if  (listp  x)  is 
non-NIL  and  (car  x)  is  not  lsqm. 

Proof.  If  (listp  x)  is  NIL  or  (car  x)  is  lsqm,  then  the  function 
symbol  of  | (sevg  x) |  is  either  TRUE,  FALSE,  a  bottom  object,  or  a  shell 
constructor  other  than  CONS.  Thus,  the  reduction  of  (LISTP  | (sevg  x) | ) 
is  (FALSE).  To  prove  the  lemma  in  the  other  direction,  suppose  (listp 
x)  is  non-NIL  and  (car  x)  is  not  lsqm.  Then  (LISTP  | (sevg  x) | )  is 
(LISTP  (CONS  | (sevg  (car  x))|  | (sevg  (cdr  x))|)),  whose  reduction  is 
(TRUE).  Q.E.D. 

Lemma  9  ("CDR  is  cdr  when  not  lsqm").  If  (evg  x)  and  (listp  x) 
and  the  car  of  x  is  not  lsqm,  then  the  reduction  of  (CDR  | (sevg  x) | )  is 
| (sevg  (cdr  x) )  |  . 

Proof.  The  proof  is  trivial.  Under  the  conditions  given, 

(CDR  | (sevg  x) | ) 


is 


(CDR  (CONS  | (sevg  (car  x))|  | (sevg  (cdr  x))|)), 

whose  reduction  is  | (sevg  (cdr  x))|.  Q.E.D. 

We  state,  without  proof,  the  analogous  lemma  for  CAR  and  car. 

Lemma  10  ("CAR  is  car  when  not  lsqm") .  If  (evg  x)  and  (listp  x) 
and  the  car  of  x  is  not  lsqm,  then  the  reduction  of  (CAR  | (sevg  x) | )  is 
I (sevg  (car  x) ) | . 

Lemma  1 1  ("EQUAL  iff  Identic al" )  If  (evg  x)  and  (evg  y)  then  the 
reduction  of  (EQUAL  | (sevg  x)  |  | (sevg  y)  |)  is  (TRUE)  if  and  only  if  x 
and  y  are  equal. 

Proof.  Recall  that  the  reduction  of  the  equation  of  two  explicit 
values  is  (TRUE)  if  and  only  if  the  two  terms  are  identical.  In 
addition,  by  Lemma  7  ("sevg  of  an  evg  is  an  explicit  value"),  | (sevg  x) | 
and  | (sevg  y) |  are  both  explicit  values. 
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Suppose  the  reduction  of  (EQUAL  | (sevg  x) |  | (sevg  y)|)  is  (TRUE). 
Then  |  (sevg  x) |  and  | (sevg  y)  |  are  identical.  So  x  and  y  are  equal  by 
Lemma  6  ("unique  representation  of  explicit  values").  In  the  other 
direction,  the  reduction  is  immediate.  Q.E.D. 

Lemma  12  ("LEGAL. CHAR. CODE. SEQ  iff  legal .char .code.seq") .  If  (evg 
v),  then  the  reduction  of  (LEGAL. CHAR. CODE. SEQ  | (sevg  v)|)  is  (TRUE)  if 
and  only  if  (legal. char. code.seq  v)  is  non-NIL. 

Recall  that  LEGAL. CHAR. CODE. SEQ  checks  that  its  argument  is  a  LISTP 
whose  first  member  is  not  in  (ILLEGAL. FIRST. CHAR. CODES) ,  is  a  subset  of 
(LEGAL. CHAR. CODES ) .  and  terminates  in  a  0.  legal .char .code.seq  checks 
the  same  things  at  the  level  of  INTERLISP. 

We  do  not  prove  this  lemma  here.  However,  we  will  indicate  how  the 
proof  goes.  Our  proof  involves  the  following  two  lemmas: 

(1)  If  (evg  c),  (evg  x),  and  every  element  of  x  is  an  evg, 

then  the  reduction  of  (MEMBER  | (sevg  c) |  | (sevg  x) | )  is 

(TRUE)  if  and  only  if  (member  c  x)  is  non-NIL. 

(2)  If  (evg  x) ,  (evg  y),  and  y  is  a  lists  of  evgs,  then  the 
reduction  of 

*a  (AND  (SUBSETP  | (sevg  x) |  | (sevg  y)|) 

(EQUAL  (ZERO) 

(IF  (LISTP  | (sevg  x) | ) 

(CDR  (LAST  | (sevg  x) | ) ) 

| (sevg  x) | ) ) ) 

is  (TRUE)  if  and  only  if 

*b  (and  (for  c  in  x  always  (member  c  y)) 

(equal  0 

(cond  ((listp  x)  (cdr  (last  x))) 

(t  x)))). 

To  use  these  two  lemmas  in  the  proof  of  Lemma  12 
("LEGAL. CHAR. CODE. SEQ  iff  1  eg al • char .code . seq" )  it  is  only  necessary  to 
observe  that  (LEGAL. CHAR. CODES )  and  (ILLEGAL. FIRST. CHAR. CODES)  reduce  to 
I (sevg  ( legal .char .codes) ) |  and  | (sevg  (illegal. char. codes) ) | . 
Furthermore,  since  both  ( legal .char .codes)  and 

( illegal . f irst .char .codes)  are  lists  of  integers,  they  are  also  lists  of 
evgs . 
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Lemma  13  ("SYMBOLP  iff  symbolp").  If  (evg  v)  then  the  reduction  of 
(SYMBOLP  | (sevg  v) | )  is  (TRUE)  if  and  only  if  (symbolp  v)  is  non-NlL. 

Proof.  If  the  reduction  of  the  SYMBOLP  expression  is  (TRUE),  we 
know  the  reduction  of  (LITATOM  |  (sevg  v)|)  is  (TRUE)  and  that  the 
reduction  of  (LEGAL. CHAR. CODE. SEQ  (UNPACK  |  (sevg  v)|))  is  (TRUE).  But 
by  sevg  and  evg,  if  the  reduction  of  the  LITATOM  expression  is  (TRUE) 
then  either  v  is  a  literal  atom  and  (legal. char. code. seq  (unpackO  v) ) 
holds  so  (symbolp  v)  holds,  or  else  v  is  a  list  whose  car  is  lsqm,  whose 
cadr  is  PACK,  and  whose  caddr  is  rejected  by  legal .char .code. seq.  We 
can  prove  the  latter  cannot  happen,  because  for  such  a  v  (UNPACK  | (sevg 
v)|)  is  | (sevg  (caddr  v))|  and  hence  the  reduction  of 
(LEGAL. CHAR. CODE. SEQ  | (sevg  (caddr  v))|)  is  (TRUE),  and  so  Lemma  12 
("LEGAL. CHAR. CODE. SEQ  iff  legal .char • code . seq" )  assures  us  that 
( legal .char .code. seq  (caddr  v))  is  non-NIL,  contradicting  the  hypothesis 
that  (caddr  v)  was  rejected  by  legal .char .code. seq.  The  argument  in  the 
other  direction  is  similar.  Q.E.D. 

Lemma  1 4  ("if  PLISTP,  then  plistp  and  list  of  evgs") .  If  (evg  x) 
and  the  reduction  of  (PLISTP  | (sevg  x)|)  is  (TRUE),  then  (plistp  x)  is 
non-NIL  and  every  element  of  x  is  an  evg. 

The  definition  of  the  function  PLISTP,  from  [I],  is: 

Def inition. 

(PLISTP  L) 

(IF  (LISTP  L) 

(PLISTP  (CDR  L)) 

(EQUAL  L  "NIL")). 

Observe  that  if  c  is  reducible  and  (FORM.LSTP  c)  reduces  to  (TRUE),  then 
so  does  (PLISTP  c).  We  introduce  PLISTP  because  only  to  make  it  easier 
to  establish  later  that  if  (FORM.LSTP  |  (sevg  x) | )  reduces  to  (TRUE)  then 
x  is  a  proper  list  of  evgs.  We  now  prove  Lemma  14. 

Proof.  We  induct  on  x. 

Base  case.  If  x  is  not  a  cons,  then  the  reduction  of  (LISTP  | (sevg 
x)|)  is  (FALSE)  by  Lemma  8  ("LISTP  iff  listp  and  not  lsqm").  Since  the 
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reduction  of  (PLISTP  | (sevg  x) [ )  is  (TRUE),  (EQUAL  "NIL"  | (sevg  x) | ) 
must  reduce  to  (TRUE),  which  implies  x  is  NIL  by  Lemma  II  ("EQUAL  iff 
identical").  But  if  x  is  NIL,  then  our  conclusion  holds. 

Induction  step.  If  x  is  a  cons,  inductively  assume  that  if  the 
reduction  of  (PLISTP  | (sevg  (cdr  x) )  | )  is  (TRUE),  then  (plistp  (cdr  x)) 
is  non-NIL  and  every  element  of  (cdr  x)  is  an  evg.  We  must  show  (plistp 
x)  and  that  every  element  of  x  is  an  evg.  We  first  observe  that  (car  x) 
cannot  be  Isqm,  for  if  it  were,  (LISTP  |  (sevg  x) | )  would  reduce  to 
(FALSE)  by  Lemma  8  ("LISTP  iff  listp  and  not  Isqm")  and  so  the  reduction 
of  (EQUAL  "NIL"  | (sevg  x) | )  would  have  to  be  (TRUE),  but  is  not,  by 
Lemma  11  ("EQUAL  iff  identical")  and  the  observation  that  NIL  is  not 
identical  to  x.  So,  we  have  that  the  reduction  of  (LISTP  | (sevg  x) | )  is 
(TRUE)  and  thus  the  reduction  of  (PLISTP  (CDR  | (sevg  x) | ) )  is  also.  But 
then  the  reduction  of  (PLISTP  | (sevg  (cdr  x))|)  is  (TRUE)  by  Lemma  9 
("CDR  is  cdr  when  not  Isqm"),  so  we  get,  from  our  induction  hypothesis, 
that  (plistp  (cdr  x))  is  non-NIL  and  every  element  of  (cdr  x)  is  an  evg. 
The  former  guarantees  that  (plistp  x)  is  non-NIL,  and  the  latter 
guarantees  that  every  element  of  x  is  an  evg  if  we  can  establish  that 
(car  x)  is  an  evg.  But  this  follows  from  (evg  x) ,  given  that  (car  x)  is 
not  Isqm.  Q.E.D. 

Lemma  1 5  ("LENGTH  is  length  when  list  of  evgs") .  If  (evg  x)  and  x 
is  a  list  of  evgs,  then  the  reduction  of  (LENGTH  | (sevg  x)|)  is  | (sevg 
( length  x) ) | . 

The  proof,  by  induction  on  x,  is  omitted  because  it  is  so  similar 
to  the  proof  of  the  preceding  Lemma  14. 

For  the  remainder  of  this  section,  let  us  assume  that  the  state  of 
the  INTERLISP  machine  (in  particular,  the  definitions  of  arity  and 
shell. state)  reflect  the  history  T2  of  the  Metatheorem. 

Lemma  16  ("ARITY  is  arity").  If  (symbolp  x) ,  then  the  reduction  in 
both  and  MD[T2]  of  (ARITY  | (sevg  x)|)  is  | (sevg  (arity  x))|. 

Proof.  The  function  symbols  TRUE,  NOT,  IMPLIES,  PLUS,  f^,  ...,  fm 
are,  by  definition,  the  only  functions  mentioned  in  the  axioms  of  T2. 
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If  x  Is  one  of  these  symbols,  the  theorem  holds  by  the  definitions  of 
arity  and  ARITY.  If  x  is  not  one  of  these  symbols,  both  are  "NIL". 

Q. E. D . 

Lemma  17  ("if  FORMP. LSTP,  then  list  of  FORMPs") .  If  x  is  a  proper 
list  of  evgs  and  the  reduction  of  (FORMP. LSTP  | (sevg  x) | )  in  T2  is 
(TRUE),  then  for  each  element  arg  in  x,  the  reduction  of  (FORMP  |  (sevg 
arg)  |)  is  (TRUE). 

Proof.  The  proof  is  by  induction  on  x. 

Base  case.  If  x  is  not  a  cons,  then  the  reduction  of  (L1STP  |  (sevg 
x)|)  is  (FALSE)  by  Lemma  8  ("LISTP  iff  listp  and  not  lsqm")  so  by  our 
FORMP. LSTP  hypothesis  we  know  the  reduction  of  (EQUAL  | (sevg  x) |  "NIL") 
is  (TRUE),  so  x  must  be  NIL  by  Lemma  6  ("unique  representation  of 
explicit  values")  and  our  conclusion  is  vacuously  true. 

Induction  step.  If  x  is  a  cons,  we  can  inductively  assume  that  if 
(cdr  x)  is  a  proper  list  of  evgs  and  the  reduction  of  (FORMP. LSTP  |  (sevg 
(cdr  x))|)  is  (TRUE),  then  for  every  arg  in  (cdr  x) ,  the  reduction  of 
(FORMP  | (sevg  arg)|)  is  (TRUE).  We  must  prove  that  if  x  is  a  proper 
list  of  evgs  and  the  reduction  of  (FORMP. LSTP  | (sevg  x) I )  is  (TRUE), 
then  for  each  element  arg  of  x,  the  reduction  of  (FORMP  | (sevg  arg) | )  is 
(TRUE).  Observe  that  (car  x)  is  not  lsqm,  for  if  it  were,  (LISTP  | (sevg 
x) |)  would  reduce  to  (FALSE)  by  Lemma  8  but  the  reduction  of  (EQUAL 
I (sevg  x) I  "NIL")  is  (FALSE)  by  a  unique  representation  of  explicit 
values  argument.  So  the  reduction  of  (LISTP  | (sevg  x) I )  is  (TRUE)  and 
we  infer  that  the  reduction  of  both  (FORMP  (CAR  | (sevg  x)|))  and 
(FORMP. LSTP  (CDR  | (sevg  x) | ) )  is  (TRUE).  Moving  the  CAR  and  CDR  inside, 
using  Lemmas  9  and  10,  we  determine  that  the  reduction  of  both  (FORMP 
I (sevg  (car  x))|)  and  (FORMP. LSTP  | (sevg  (cdr  x) )  | )  is  (TRUE),  and  by 
using  our  induction  hypothesis,  we  establish  that  the  reduction  of 
(FORMP  | (sevg  arg) | )  is  (TRUE)  when  arg  is  (car  x)  or  an  element  of  (cdr 
x) ,  which  is  to  say,  for  each  element  arg  of  x.  Q.E.D. 

We  now  prove  the  first  of  the  two  lemmas  used  directly  in  the  proof 
that  our  implementation  of  the  Metatheorem  is  correct.  Lemma  18 
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establishes  that  if  (FORMP  c)  reduces  to  (TRUE)  and  c  is  represented  by 
(list  'QUOTE  obj),  then  obj  itself  represents  a  term.  In  fact,  the 
lemma  holds  in  the  other  direction  too,  but  we  do  not  need  it  or  prove 
it  in  that  direction. 

Lemma  18  ("FORMP  of  a  QUOTEd  evg  iff  termp") .  If  ( termp  (list 
'QUOTE  obj))  and  the  reduction  of  (FORMP  | (s  (list  'QUOTE  obj ) )  | )  in 
Tj.j  (equivalently,  MD[T2])  is  (TRUE),  then  (termp  obj). 

Proof.  Observe  that  the  first  hypothesis  is  equivalent  to  (evg 
obj)  and  the  second  hypothesis  is  equivalent  to  the  supposition  that  the 
reduction  of  (FORMP  |  (sevg  obj)|)  is  (TRUE).  The  proof  is  by  induction 
on  the  size  of  obj  • 

Base  case.  If  obj  is  not  a  cons,  then  by  Lemma  8  ("LISTP  iff  listp 
and  not  lsqm")  we  know  (LISTP  j  (sevg  ob j )  | )  reduces  to  (FALSE).  Thus, 
by  our  FORMP  hypothesis,  we  know  the  reduction  of  (SYMBOLP  | (sevg  ob j ) | ) 
is  (TRUE).  Hence,  by  Lemma  13  ("SYMBOLP  iff  symbolp")  we  know  (symbolp 
obj),  which  guarantees  (termp  obj). 

Induction  step,  obj  is  a  cons.  Consider  (car  obj). 

(a).  If  (car  obj)  is  'QUOTE,  then  we  must  show  (i)  (listp  (cdr 
obj)),  (ii)  (null  (cddr  obj)),  and  (iii)  (evg  (cadr  obj)).  The 
reduction  of  (FORMP  | (sevg  ob j ) j )  is  the  reduction  of  (FORMP  (CONS 
"QUOTE"  | (sevg  (cdr  ob j ) )  | ) ) ,  which  means  that  the  reduction  of  both 
(LISTP  | (sevg  (cdr  obj ) ) | )  and  (EQUAL  "NIL"  (CDR  | (sevg  (cdr  ob j ) )  | ) )  is 
(TRUE).  Lemma  8  ("LISTP  iff  listp  and  not  lsqm”)  is  sufficient  to 
ensure  (i).  In  addition.  Lemma  8  tells  us  (cadr  obj)  is  not  lsqm.  Thus 
the  reduction  of  (EQUAL  "NIL"  (CDR  | (sevg  (cdr  obj))|))  is  the  reduction 
of  (EQUAL  "NIL"  | (sevg  (cddr  obj))|)  by  Lemma  9  ("CDR  is  cdr  when  not 
lsqm").  But  then  (cddr  obj)  is  NIL,  by  a  unique  representation  of 
explicit  values  argument.  So  (ii)  holds.  As  for  (iii),  note  that  since 
both  obj  and  (cdr  obj)  are  listps  and  neither  (car  obj)  nor  (cadr  obj) 
is  lsqm,  (evg  obj)  establishes  (evg  (cdr  obj))  which  in  turn  gives  us 
(evg  (cadr  obj)),  which  is  (iii). 
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(b).  If  (car  obj)  is  not  'QUOTE,  then  we  need  to  show  (i)  (plistp 
(cdr  obj)),  (ii)  (equal  (length  (cdr  obj))  (arity  (car  obj))),  and  (iii) 
(for  z  in  (cdr  obj)  always  (termp  z)).  Our  hypotheses  are  (evg  obj)  and 
that  the  reduction  of  (FORMP  | (sevg  obj)|)  is  (TRUE).  First  we 
establish  that  (car  obj)  is  not  lsqm.  Suppose  it  were.  Then  the 
reduction  of  (LISTP  | (sevg  ob j )  | )  would  be  (FALSE)  by  Lemma  8  ("LISTP 
iff  listp  and  not  lsqm")  and  thus  the  reduction  of  (FORMP  | (sevg  obj ) | ) 
would  be  (FALSE)  since  the  reduction  of  (SYMBOLP  | (sevg  ob j )  | )  is 
(FALSE)  by  Lemma  13  ("SYMBOLP  iff  symbolp") .  Thus,  (car  obj)  is  not 
lsqm  and  the  reduction  of  (LISTP  | (sevg  ob j ) | )  is  (TRUE). 

Thus,  our  hypothesis  that  the  reduction  of  (FORMP  |  (sevg  obj ) | )  is 
(TRUE)  gives  us  that  the  reductions  of  both 

(EQUAL  (ARITY  (CAR  | (sevg  obj ) | ) ) 

(LENGTH  (CDR  | (sevg  obj ) | ) ) ) 

and 

( FORM .LSTP  (CDR  | (sevg  ob j ) | ) ) 
are  (TRUE).  Hence  the  reduction  of 
(PLISTP  (CDR  | (sevg  obj) | ) ) 

is  (TRUE).  By  lemmas  9  and  10  ("CDR  is  cdr  when  not  lsqm"  and  "CAR  is 
car  when  not  lsqm"),  and  Lemma  16  ("ARITY  is  arity"),  the  reduction  of 
each  of  the  following  is  (TRUE): 

(EQUAL  | (sevg  (arity  (car  ob j ) ) ) | 

(LENGTH  | (sevg  (cdr  obj ) ) j ) )  , 

(FORM. LSTP  | (sevg  (cdr  ob j ) )  |  ) , 

and 

(PLISTP  |  (sevg  (cdr  ob j  ) )  |  )  . 

Thus,  by  Lemma  14  ("if  PLISTP,  then  plistp  and  list  of  evgs")  we  know 
(plistp  (cdr  obj))  is  non-NIL  (which  establishes  (i))  and  that  every 
element  of  (cdr  obj)  is  an  evg.  But  now  we  can  apply  Lemma  15  ("LENGTH 
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is  length  when  list  of  evgs")  and  Lemma  17  ("if  FORM.LSTP,  then  list  of 
FORMPs")  to  get  that  the  reduction  of 


(EQUAL  | (sevg  (arity  (car  obj)))| 

|  (sevg  (length  (cdr  ob j ) ) )  | ) 

is  (TRUE)  and  that  for  every  arg  in  (cdr  ob j ) ,  the  reduction  of  (FORMP 
I (sevg  arg)|)  is  (TRUE).  The  former  is  sufficient  to  guarantee  (ii),  by 
a  unique  representation  of  explicit  values  argument.  The  latter 
guarantees  (iii)  since,  by  induction  hypothesis,  when  the  reduction  of 
(FORMP  | (sevg  arg)|)  is  (TRUE)  for  an  arg  whose  count  is  smaller  than 
obj ,  then  (termp  arg)  is  non-NIL.  Q.E.D. 

C.  Lemma  1 9 

We  now  prove  the  final  lemma  used  in  the  argument  that  our 
implementation  of  the  Metatheorem  is  correct.  Lemma  19  establishes  that 
if  obj  represents  term  t,  then  (list  'QUOTE  obj)  represents  a  quotation 
of  t . 

Lemma  19  ("QUOTED  term  is  a  quotation").  If  (termp  obj),  then  | (s 
(list  'QUOTE  obj)) |  is  a  quotation  of  | (s  obj ) | . 

Proof.  By  the  definition  of  s,  (s  (list  'QUOTE  obj))  is  (sevg 

obj  ) . 

The  proof  is  by  induction  on  the  size  of  obj. 

Base  Case.  If  obj  is  not  a  cons,  then  from  (termp  obj),  we  have 
that  (symbolp  obj).  But  |  (sevg  obj ) |  is  then  "obj"  and  | (s  obj ) |  is 
obj  . 

Induction  step.  If  obj  is  a  cons,  consider  (car  obj). 

(a).  Suppose  the  car  of  obj  is  'QUOTE.  | (s  obj) |  is  | (sevg  (cadr 
obj ) )  | .  From  (termp  obj),  we  infer  (evg  (cadr  obj)).  From  Lemma  7 
("sevg  of  an  evg  is  an  explicit  value"),  we  infer  that  | (sevg  (cadr 
obj))  |  is  an  explicit  value.  Hence  one  quotation  of  |  (sevg  (cadr  obj ) )  | 
is  (LIST  "QUOTE"  |  (sevg  (cadr  ob j ) )  |  ) ,  which  we  now  show  is  in  fact 
I (sevg  ob j ) | .  Since  (termp  obj)  and  the  car  of  obj  is  'QUOTE,  (cdr  obj) 


is  a  list,  (cadr  obj )  is  an  evg  (and  thus  not  lsqm)  and  (cddr  ob j )  is 
NIL.  Thus,  |  (sevg  obj )  |  is  (CONS  "QUOTE"  (CONS  | (sevg  (cadr  obj))! 
"NIL")),  which  is  (LIST  "QUOTE"  | (sevg  (cadr  obj ) ) | ) . 

(b).  If  (car  obj)  is  not  'QUOTE,  then  obj  has  the  form  (fn  arg^ 

•••  argn) »  where  n  is  the  length  of  (cdr  obj),  (arity  fn)  is  n,  and 
( termp  argt)  for  each  i.  Hence  |  (sevg  obj )  |  is  (LIST  "fn"  |  (sevg  arg^l 
...  | (sevg  argn)|)  since  no  arg^  is  lsqm.  By  inductive  hypothesis,  each 
| (sevg  arg^) |  is  a  quotation  of  arg^.  Q.E.D. 
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VIII  EFFICIENT  COMPUTATION  ON  EXPLICIT  VALUES 


To  use  metafunctions  efficiently  we  need  a  method  for  rapidly 
computing  the  object  objd  such  that  the  term  represented  by  (list  'QUOTE 
objd)  is  the  reduction  of  (simp  | (s  (list  'QUOTE  objc))|),  when  simp  is 
an  explicit  value  preserving  function* 

Every  time  an  explicit  value  preserving  function  fn  is  defined  in 
our  theorem-proving  system,  we  store  in  the  definition  cell  of  the 
INTERLISP  literal  atom  lfn  a  routine  with  the  following  property: 

If  fn  takes  n  arguments  and  c^,  cn  are  explicit 

values  represented  by  (list  'QUOTE  obj,),  (list  'QUOTE 

objn)  respectively,  then  (list  'QUOTE  (Lfn  obj^  ...  objn)) 
represents  the  reduction  of  (fn  c^  ...  cn) . 

Below  we  show  how  we  generate  the  INTERLISP  routine  for  lfn.  We  leave 
to  the  reader  the  proof  that  the  program  constructed  has  the  desired 
property.  In  most  cases  the  proof  is  straightforward,  given  the  lemmas 
already  proved.  The  statement  of  this  lemma  makes  no  claim  about  the 
efficiency  of  lfn  but  we  will  discuss  efficiency  after  indicating  how 
the  routines  are  generated. 

Consider  first  those  functions  that  are  built  in.  A  suitable 
definition  of  ltrue,  the  routine  corresponding  to  TRUE,  is  (lambda  () 
It).  FALSE  is  similar.  The  routine  for  EQUAL  is  (lambda  (x  y) (cond 
((equal  x  y)  lt)(T  If)))  —  i.e.,  it  returns  It  if  the  two  evgs  are 
equal  INTERLISP  objects  and  If  otherwise.  The  routine  for  IF  should 
return  the  value  of  its  third  argument  if  that  of  its  first  is  If  and 
otherwise  return  the  value  of  its  second  argument.  Thus,  (lif  x  y  z) 
should  be  macro-expanded  into  (cond  ((eq  x  If)  z)(T  y)).  Any  function 
definition  of  lif  must  first  evaluate  x  in  the  environment  of  the 
calling  procedure  and  then  selectively  evaluate  either  y  or  z  in  the 
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environment  of  the  calling  procedure*  We  explain  why  lif  must  not 
evaluate  all  three  arguments  when  we  examine  the  case  for  recursive 
functions* 

Before  proceeding,  recall  the  property  that  lfunctions  are  supposed 
to  have*  Consider  lequal*  It  is  supposed  to  be  the  case  that  if  c^  and 
c2  are  explicit  values  represented  by  (list  'QUOTE  objj)  and  (list 
'QUOTE  obj2),  then  the  reduction  of  (EQUAL  c^  C2>  is  represented  by 
(list  'QUOTE  (lequal  objj  obj2))*  But  Lemma  11  ("EQUAL  iff  identical") 
establishes  that  (EQUAL  c^  c2)  reduces  to  (TRUE)  if  and  only  if  (equal 
obj^  obj2)  is  non-NIL,  and  (list  'QUOTE  (lequal  ob j ^  obj2))  represents 
(TRUE)  or  (FALSE)  according  to  whether  (equal  objj  obj2).  So  lequal  is 
has  the  property  claimed*  The  proofs  of  the  other  lfunctions  are 
similar. 

The  lfunctions  for  the  various  primitive  shell  functions  are 
defined  similarly  so  we  will  only  exhibit  the  definitions  of  llistp. 
Icons,  lcar,  and  lcdr. 

(llistp  (lambda  (x) 

(cond  ((and  (listp  x) 

(not  (eq  (car  x)  lsqm))) 

It) 

(T  If)))) 

(Icons  (x  y)  (cons  x  y)) 

(lcar  (lambda  (x) 

(lif  (llistp  x)  (car  x)  0))) 

(lcdr  (lambda  (x) 

(lif  (llistp  x)  (cdr  x)  0))) 

Observe  how  their  correctness  follows  immediately  from  such  lemmas  as  8 
("LISTP  iff  litp  and  not  lsqm")  and  9  ("CDR  is  cdr  when  not  lsqm"). 

Now  we  consider  functions  introduced  by  the  user,  either  via  the 
shell  principle  or  the  principle  of  definition*  Suppose  we  have 
correctly  obtained  the  INTERLISP  routines  for  all  the  previously 
introduced  explicit  value  preserving  functions  and  are  now  considering 
some  newly  introduced  function  fn* 
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Suppose  fn  is  introduced  by  the  shell  principle*  If  fn  is  a 
recognizer,  lfn  is  the  INTERLISP  function  that  returns  It  or  If 
according  to  whether  its  argument  is  a  listp  whose  car  is  lsqm  and  whose 
cadr  is  the  name  of  the  shell  constructor  or  bottom  object  of  the  class* 
If  fn  is  a  bottom  object  function,  lfn  returns  the  list  of  length  2  with 
lsqm  as  its  car  and  the  bottom  object  name  as  its  cadr*  If  fn  is  a 
constructor  function,  lfn  returns  a  list  of  length  n+2,  with  lsqm  as  its 
car,  the  constructor  function  name  as  its  cadr,  and  n  elements  in  the 
cddr.  The  ith  element  of  the  cddr  is  just  the  ith  argument  to  lfn  if 
that  argument  satisfies  the  ith  type  restriction  and  otherwise  is  the 
evg  representing  the  ith  default  value.  Type  restrictions  are  checked 
by  calling  the  already  obtained  routines  corresponding  to  the  finite  set 
of  recognizers  that  must  approve  or  disapprove  of  the  argument*  The  evg 
for  the  default  value  is  obtained  by  calling  the  already  defined  routine 
for  it*  Finally,  if  fn  is  the  ith  accessor  function  of  a  shell,  lfn 
returns  the  l+2nd  element  of  its  argument  if  its  argument  satisfies  the 
recognizer  routine  for  its  shell  class  (but  is  not  the  representation  of 
the  optional  bottom  object),  and  otherwise  returns  the  evg  for  the  ith 
default  value. 

If  fn  is  none  of  the  above,  it  must  be  a  defined  function.  Its 
definition  must  be  of  the  form  (EQUAL  (fn  x^  ...  xn)  body),  where  every 
function  symbol  in  body  (other  than  fn)  is  explicit  value  preserving* 
Thus,  for  each  such  function  symbol  we  have  a  routine*  Let  lbody  be  the 
INTERLISP  expression  obtained  by  replacing  uses  of  fn  in  body  as  a 
function  symbol  by  lfn  and  uses  of  other  function  symbols  in  body  by  the 
name  of  the  corresponding  routine.  Define  the  INTERLISP  routine  lfn 
with  (lambda  (x^  ...  xn)  lbody).  For  example,  given  the  definition  of 
APPEND: 

Definition* 

(APPEND  X  Y) 

(IF  (LISTP  X) 

(CONS  (CAR  X)  (APPEND  (CDR  X)  Y)) 

Y), 

the  definition  for  lappend  is: 
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(lappend  (lambda  (x  y) 

(lif  (llistp  x) 

(Icons  (lcar  x)  (lappend  (lcdr  x)  y) ) 

y))). 

lfn  always  terminates  and  has  the  desired  property •  The  key  observation 
Is  that  a  certain  measure  of  the  arguments  decreases  on  every  recursive 
call  (namely  the  measure  that  "lifts"  the  evgs  back  Into  the  theory  and 
measures  them  with  the  function  used  to  justify  the  definition  of  f n) . 
The  proof  relies  upon  the  fact  that  (lif  x  y  z)  only  evaluates  y  when  x 
evaluates  to  non-lf,  and  only  evaluates  z  otherwise*  The  reason  is  that 
the  measure  justifying  the  admission  of  fn  was  proved  to  decrease  in  all 
recursive  calls  of  fn  in  the  true-branch  of  the  IF  provided  the  test  was 
true,  and  was  proved  to  decrease  in  the  false-branch  provided  the  test 
was  false*  Thus,  the  inductive  hypothesis  that  the  computation  of  y  is 
correct  and  terminates  can  only  be  obtained  in  the  case  where  x  is  known 
to  have  computed  to  non-lf* 

This  concludes  the  sketch  of  how  we  can  generate  routines  for  each 
explicit  value  preserving  function  in  the  theory. 

For  efficiency  the  theorem-prover  actually  includes  built-in 
definitions  of  PLUS  and  LESSP  and  hand-coded  versions  of  lplus  and 
llessp  that  take  advantage  of  the  hardware  for  operating  on  evgs 
representing  Peano  integers  and  avoid  the  necessity  for  recursion  by 
SUB1.  However,  once  one  gets  away  from  the  hardware  level  the  functions 
one  defines  can  usually  take  advantage  of  the  same  algorithms  an 
efficient  procedure  might. 

While  the  code  we  generate  for  user-defined  functions  is  equivalent 
to  that  sketched  above,  we  actually  compile  it  after  optimizing  it  in 
four  ways* 

The  first  optimization  technique  is  to  expand  certain  built-in 
functions  to  avoid  incurring  an  INTERLISP  procedure  call  in  cases  where 
the  compiled  code  represents  only  a  few  machine  instructions.  For 
example  we  expand  references  to  such  basic  functions  as  IF  and  LISTP  by 
expanding  the  definitions  of  the  corresponding  INTERLISP  procedures 
"inline." 
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The  second  optimization  technique  eliminates  the  tension  between 
INTERLISP's  convention  of  testing  against  NIL  and  the  theory's 
convention  of  testing  against  (FALSE).  In  general,  the  code  for  (LISTP 
X)  tests  (and  (llstp  x)  (neq  (car  x)  lsqm))  against  NIL  and  branches  to 
return  If  or  It  accordingly.  According  to  the  optimization  presented  in 
the  previous  paragraph,  if  (LISTP  X)  occurs  in  the  test  of  an  IF,  we 
might  merely  expand  (LISTP  X)  and  then  test  the  result  against  If  and 
branch  accordingly.  But  it  is  inefficient  for  the  expansion  of  (LISTP 
X)  to  branch  on  NIL  to  return  It  or  If  only  for  IF  to  test  the  result 
against  If  and  branch  again.  By  keeping  track  of  whether  the  results  of 
built-in  predicates  such  as  LISTP,  EQUAL,  and  AND  are  only  being  tested 
in  IFs,  our  expansion  avoids  the  redundant  returning  of  It  and  If  and 
the  testing  against  If. 

The  third  optimization  technique  eliminates  much  of  the  testing  of 
llstp  and  lsqm  that  would  otherwise  be  necessary  in  list  processing.  In 
general,  the  code  for  (CAR  X)  expands  to 

(cond  ((and  (llstp  x)  (neq  (car  x)  lsqm)) 

(car  x)) 

(t  0)). 

However,  if  we  can  prove  that  the  tests  governing  that  occurrence  of 
(CAR  X)  imply  (LISTP  X),  then  (CAR  X)  can  be  expanded  into  (car  x)  — 
which  compiles  into  a  single  machine  instruction.  Similarly,  in 
expanding  (EQUAL  X  Y),  which  in  general  must  test  (equal  x  y) ,  we 
actually  test  (eq  x  y)  --  which  requires  a  single  machine  instruction  — 
when  we  know  that  one  of  X  or  Y  is  a  QUOTEd  literal  atom. 

The  three  optimization  techniques  above  produce  the  following  code 
from  the  definition  of  APPEND: 

(lappend  (lambda  (x  y) 

(cond  ((and  (llstp  x)  (neq  (car  x)  lsqm)) 

(cons  (car  x)  (lappend  (cdr  x)  y))) 

(T  y)))). 
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The  fourth  optimization  technique  eliminates  the  expense  of 
recomputing  common  subexpressions  in  the  body  of  a  definition  during  any 
evaluation  of  that  body*  To  each  common  subexpression  we  allocate  a 
temporary  variable  that  is  set  to  the  value  of  the  subexpression  the 
first  time  it  is  evaluated.  Because  we  do  not  put  the  code  into  "COND- 
normal  form,"  thereby  removing  all  conditionals  from  the  tests  of  other 
conditionals,  a  given  occurrence  o  of  a  subexpression  s  of  a  definition 
can  have  the  property  that  during  some  evaluations  of  the  body,  a  prior 
occurrence  of  s  been  evaluated  before  the  occurrence  at  o  is  reached, 
while  on  other  evaluations  of  the  body,  no  prior  occurrence  of  s  has 
been  evaluated  before  the  evaluation  at  o.  We  therefore  initialize  our 
temporary  variables  with  the  atom  IX  (which  is  not  an  evg)  and  during 
the  evaluation  of  a  body  test  the  temporary  variables  against  IX  in 
those  situations  in  which  our  optimizer  could  not  determine  that  the 
variable  had  been  previously  set.  We  do  not  save  the  values  of  car/cdr 
nests  since  they  are  compiled  efficiently. 

The  INTERLISP  compiler  compiles  certain  forms  of  recursion  as 
iteration.  Thus,  the  second  call  of  BAGINT  in  the  compiled  version  of 
that  function  is  actually  implemented  as  a  PDP-10  Jump  instruction 
rather  than  a  true  recursion. 

Here  is  the  INTERLISP  code  that  is  compiled  for  the  definition  of 
CANCEL  discussed  in  Section  II.  Each  setq  requires  one  instruction. 

Each  neq  test  requires  one  instruction. 


(1  cancel  (lambda  (x) 

(prog  ((2templ  (quote  IX))  (2temp2  (quote  IX)) 

(2temp3  (quote  IX))  (2temp4  (quote  IX)) 

(2temp5  (quote  IX))  (2temp6  (quote  IX))) 

(return 

(cond 

((and  (setq  2temp6  (neq  (lequallty?  x)  If)) 

(setq  2temp5  (neq  (lplus.tree?  (lcar  (cdr  x)))  If)) 

(neq  (lplus.tree?  (setq  2temp4  (lcar  (cddr  x))))  If)) 

(list 

(quote  EQUAL) 

(lplus.tree 

(lbagdiff 

(setq  2temp3  (lfrlnge  (cadr  x))) 

(setq  2temp2 

(lbaglnt  2temp3 

(setq  2templ  (lfrlnge  (caddr  x))))))) 
(lplus.tree  (lbagdiff  2templ  2temp2)))) 

((and  2temp6 

(cond  ((neq  2tempS  (quote  IX))  2temp5) 

(T  (neq  (lplus.tree?  (lcar  (cdr  x)))  If))) 

(neq  (lmember  (cond  ((neq  2temp4  (quote  IX))  2temp4) 

(T  (setq  2temp4  (lcar  (cddr  x))))) 
(setq  2temp3  (lfrlnge  (cadr  x)))) 

If)) 

(cons 

(quote  IF) 

(cons 

(list  (quote  NUMBERP)  2temp4) 

(cons  (cons  (quote  EQUAL) 

(cons  (lplus.tree  (ldelete  2temp4  2temp3)) 

(quote  ((ZERO))))) 

(quote  ((FALSE))))))) 

((and  2temp6 

(neq  (lplus.tree?  (lcar  (lcdr  (cdr  x))))  If) 

(neq  (lmember  (cadr  x)  (setq  2templ  (lfrlnge  (caddr  x)))) 
If)) 

(cons  (quote  IF) 

(cons  (list  (quote  NUMBERP)  (cadr  x)) 

(cons  (list  (quote  EQUAL) 

(quote  (ZERO)) 

(lplus.tree  (ldelete  (cadr  x)  2templ))) 
(quote  ((FALSE))))))) 

(T  x)))))) 


For  example.  If  obj  Is  the  INTERLISP  list  structure  that  prints 
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(EQUAL  (PLUS  (PLUS  A  I)  (PLUS  B  K)) 
(PLUS  J  (PLUS  K  (PLUS  I  X)))) 


then  (lcancel  obj)  is  the  INTERLISP  list  structure 

(EQUAL  (PLUS  A  B) 

(PLUS  J  X)). 

If  obj  is  the  INTERLISP  list  structure  (EQUAL  A  (PLUS  A  B))  then 
(lcancel  obj)  is  the  INTERLISP  list  structure 

(IF  (NUMBERP  A) 

(EQUAL  (ZERO)  (FIX  B)) 

(FALSE)). 

By  all  of  the  foregoing,  we  know  that  if  obj  represents  a  term,  then 
(lcancel  obj)  represents  a  term  that  is  provably  equal  to  that 
represented  by  obj  . 

Note  that  lcancel  sometimes  returns  a  term  with  ZERO  as  its 
function  symbol.  The  theorem-prover  will  have  to  spend  a  small  amount 
of  time  converting  that  term  to  its  normal  internal  form,  (QUOTE  0), 
during  the  course  of  routine  simplification.  We  could  have  defined 
CANCEL  to  return  (LIST  "QUOTE"  0)  instead  of  (LIST  "ZERO").  Both  terms 
have  the  same  MEANING,  so  the  proof  of  correctness  is  no  more  difficult, 
but  the  former  term  compiles  to  '(QUOTE  0),  which  is  the  Internal  normal 
form  for  (ZERO).  We  did  not  define  CANCEL  this  way  only  because  at  the 
time  CANCEL  was  first  described  in  this  paper  we  had  not  defined  the 
MEANING  of  QUOTE.  The  use  of  FALSE  in  lcancel  can  be  similarly 
eliminated. 
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IX  PROOF  OF  THE  CORRECTNESS  OF  CANCEL 


The  theorem-prover  compiles  every  explicit  value  preserving 
function  as  soon  as  it  has  been  admitted  into  the  theory*  During 
subsequent  proofs,  the  compiled  code  is  executed  whenever  constant 
expressions,  such  as  (APPEND  (LIST  123)  (LIST  4  5  6)),  arise*  But  the 
theorem-prover  cannot  use  lcancel  as  a  proof  procedure  until  it  has  been 
proved  correct* 

This  raises  the  question:  how  hard  is  it  to  prove  the  correctness 
of  metafunctions  mechanically?  We  can  report  that  it  was  not 
particularly  difficult  to  prove  the  correctness  of  CANCEL  using  our 
theorem-prover . 

Recall  that  we  have  two  things  to  prove:  that  CANCEL  returns  a 
FORMP  when  given  one,  and  that  CANCEL  preserves  the  MEANING  of  input 
FORMPs . 

Despite  the  complicated  definition  of  SYMBOLP  and  its  subfunction 
LEGAL. CHAR. CODE. SEQ,  the  proof  of  the  FORMP  property  of  CANCEL  is  almost 
trivial*  The  reason  is  that  because  CANCEL  constructs  no  new  variable 
symbols,  SYMBOLP  never  becomes  involved  in  the  correctness  proof:  the 
FORMP  hypothesis  lets  the  theorem-prover  establish  FORMP  for  every 
subform  of  the  output  that  is  a  subform  of  the  input.  So  the  only  work 
in  proving  that  CANCEL  produces  FORMPs  when  given  FORMPs  is  proving  that 
the  function  applications  "created"  by  CANCEL  and  its  subfunctions  are 
well-formed  in  the  sense  of  having  a  function  name  in  the  CAR  and  the 
right  number  of  FORMPs  in  the  CDR. 

To  get  the  theorem-prover  to  prove  the  FORMP  property  of  CANCEL,  we 
suggested  that  it  prove  the  following  easy  lemmas:  when  given  a  FORMP, 
FRINGE  returns  a  FORM.LSTP,  the  result  of  DELETElng  something  from  a 
FORM. LS TP  is  a  FORM.LSTP,  (BAGDIFF  X  Y)  is  a  FORM.LSTP  when  X  is,  and 
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(PLUS. TREE  X)  is  a  FORMP  if  X  is  a  FORM.LSTP.  The  theorem-prover  proves 
these  lemmas  without  user  assistance  beyond  the  statement  of  the  lemmas 
and  the  implication  that  they  are  useful.  The  proofs  require  induction 
—  sometimes  on  the  structure  of  FORMPs,  sometimes  on  the  process  of 
considering  the  elements  of  one  bag  against  those  of  another,  and 
sometimes  on  linear  lists.  Besides  induction,  the  proofs  require  a  good 
deal  of  simplification  and  the  careful  expansion  of  certain  function 
definitions  at  the  right  moments.  Once  it  has  established  these 
properties  of  the  subfunctions  of  CANCEL,  the  system  can  easily  employ 
the  lemmas  to  prove  that  CANCEL  produces  a  FORMP  when  given  one.  The 
entire  sequence  of  FORMP  proofs  requires  about  25  seconds  of  CPU  time  on 
a  DEC  KL. 

The  proof  that  CANCEL  preserves  the  MEANING  of  its  input  and  output 
is  somewhat  more  interesting.  Starting  from  the  basic  axioms  of  the 
theory  and  the  definitions  of  the  functions  concerned,  we  first  got  the 
theorem-prover  to  prove  some  obvious  facts  about  the  theory  of  lists 
(e.g.,  that  X  is  a  MEMBER  of  (APPEND  A  B)  iff  it  is  a  MEMBER  of  A  or  B), 

the  theory  of  bags  (e.g.,  that  the  bag  intersection  of  two  bags  is  a 

subbag  of  both),  and  the  theory  of  numbers  (e.g.,  that  PLUS  is 
associative,  commutative,  and  allows  cancellation  of  a  common  first 
argument  on  each  side  of  an  equation).  Most  of  these  classic  theorems 
require  induction  to  prove. 

Once  these  facts  are  available,  we  instructed  the  system  to  prove 
the  fundamental  relationships  induced  by  MEANING  and  PLUS. TREE  between 
bags  and  numbers.  There  are  three  key  lemmas:  (a)  If  X  is  a  subbag  of 
Y,  then  the  MEANING  of  the  PLUS. TREE  constructed  from  the  bag  difference 
of  Y  and  X  is  equal  to  the  Peano  difference  of  the  MEANINGS  of  the 
PLUS. TREEs  constructed  from  Y  and  X.  (b)  If  X  is  a  subbag  of  Y  then  the 

MEANING  of  the  PLUS. TREE  constructed  from  Y  is  a  number  greater  than  or 

equal  to  that  constructed  from  X.  (c)  The  MEANING  of  (PLUS. TREE  (FRINGE 
X))  is  the  MEANING  of  X,  when  (PLUS. TREE?  X)  is  true.  The  lemmas  are 
all  proved  by  induction  —  sometimes  on  the  structure  of  FORMPs  and 
sometimes  on  that  of  bags.  The  first  lemma  is  the  hardest  and  we  invite 
the  reader  to  prove  it  as  an  exercise. 
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Once  these  and  several  similar  lemmas  have  been  proved,  the  fact 
that  CANCEL  preserves  MEANING  is  fairly  obvious.  We  will  sketch  the 
system's  proof  for  the  first  branch  of  CANCEL.  Suppose  the  expression 
to  be  CANCELed  has  the  form  (EQUAL  u  v),  where  u  and  v  are  PLUS-trees. 
By  expanding  the  definition  of  MEANING,  we  must  prove  that  the  MEANING 
of  the  output  of  CANCEL  is  equal  to: 

*1  (EQUAL  (MEANING  u  A)  (MEANING  v  A)). 

The  output  of  CANCEL  in  this  case  is 
(LIST  "EQUAL" 

(PLUS. TREE  (BAG.DIFF  (FRINGE  u)  int)) 

(PLUS. TREE  (BAG.DIFF  (FRINGE  v)  int))), 

where  int  is  the  bag  intersection  of  the  FRINGES  of  u  and  v.  The 
MEANING  of  the  output  is  thus  the  equation  of  the  MEANINGS  of  the  two 
PLUS. TREE  expressions: 

*2  (EQUAL  (MEANING  (PLUS. TREE  (BAG.DIFF  (FRINGE  u)  int))  A) 

(MEANING  (PLUS. TREE  (BAG.DIFF  (FRINGE  v)  int))  A)), 

and  we  must  show  that  *1  and  *2  are  equal.  But  the  MEANING  of 
(PLUS. TREE  (BAG.DIFF  Y  X))  is  equal  to  the  MEANING  of  (PLUS. TREE  Y) 
minus  the  MEANING  of  (PLUS. TREE  X),  provided  X  is  a  subbag  of  Y.  Since 
int  is  a  subbag  of  both  (FRINGE  u)  and  (FRINGE  v)  —  by  the  fact  that 
the  bag  intersection  of  two  bags  is  a  subbag  of  both  —  we  can  rewrite 
*2  to: 

*3  (EQUAL  (DIFFERENCE  (MEANING  (PLUS. TREE  (FRINGE  u))  A) 

(MEANING  (PLUS. TREE  int)  A)) 

(DIFFERENCE  (MEANING  (PLUS. TREE  (FRINGE  v) )  A) 

(MEANING  (PLUS. TREE  int)  A))). 

Since  the  MEANING  of  (PLUS. TREE  int)  is  less  than  or  equal  to  the  two 
minuends,  and  the  two  minuends  are  always  numeric,  lemmas  from  Peano 
arithmetic  let  us  reduce  the  above  equality  to: 


_ 
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*4  (EQUAL  (MEANING  (PLUS. TREE  (FRINGE  u))  A) 

(MEANING  (PLUS. TREE  (FRINGE  v))  A)). 

But  the  MEANING  of  (PLUS. TREE  (FRINGE  X))  is  the  MEANING  of  X,  when 
(PLUS. TREE?  X)  is  true.  Thus,  we  can  simplify  *4  to: 

*5  (EQUAL  (MEANING  u  A)  (MEANING  v  A)), 

which  is  *1.  Q.E.D. 

The  total  CPU  time  required  for  the  MEANING  part  of  the  CANCEL 
proofs  (not  counting  the  proofs  of  the  list,  bag,  and  arithmetic  lemmas 
which  are  part  of  the  system's  standard  repertoire)  is  about  seven 
minutes.  Thus,  the  entire  CANCEL  exercise  consumes  about  eight  CPU 
minutes  plus  the  user's  time  to  formulate  the  necessary  lemmas  —  a 
small  price  to  pay  for  the  assurance  that  the  new  procedure  is  sound. 

The  theorem-prover  has  proved  the  correctness  of  a  much  more 
difficult  metafunction,  namely,  the  totality,  soundness,  and 
completeness  of  a  decision  procedure  for  propositional  calculus.  The 
proof  of  that  theorem  is  discussed  in  [1].  The  theorem-prover  required 
no  modification  to  prove  the  correctness  of  CANCEL.  In  particular,  the 
heuristics  developed  to  prove  "ordinary"  theorems  were  just  as  effective 
when  applied  to  "metatheorems"  stated  in  terms  of  MEANING.  The  proof  of 
the  correctness  of  CANCEL  involved  much  less  user  direction  (in  the  form 
of  lemmas)  than  many  other  mathematical  results  the  system  has  proved 
(e.g.,  the  prime  factorization  theorem  derived  from  our  shell  axioms  for 
numbers  and  lists) .  The  proof  is  also  easier  than  the  correctness 
proofs  for  many  programs  (e.g.,  our  fast  string  searching  algorithm). 

We  are  therefore  optimistic  about  the  prospects  for  adding  useful 
new  proof  procedures  to  our  theorem-prover  via  this  approach. 
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X  USING  METAFUNCTIONS  EFFICIENTLY 


Whenever  the  user  commands  the  theorem-prover  to  prove  a  theorem, 
he  provides  the  system  with  a  list  of  tokens  indicating  how  the  theorem 
is  to  be  stored  for  future  use.  In  [1]  we  employed  four  such  tokens: 
REWRITE,  indicating  that  the  theorem  was  to  be  used  as  a  rewrite  rule, 
EL1M,  indicating  that  it  is  to  be  used  to  eliminate  certain 
"undesirable"  function  symbols,  GENERALIZE,  indicating  that  the  theorem 
suggests  properties  to  keep  in  mind  when  generalizing  subgoals,  and 
INDUCTION,  indicating  the  theorem  is  useful  in  the  search  for  well- 
founded  relations  and  measures  explaining  definitions  and  inductions. 
The  system  checks  that  the  theorem  is  suitable  for  use  in  the  ways 
indicated  (e.g.,  that  an  INDUCTION  lemma  really  does  state  a  property 
about  a  known  well-founded  relation).  The  purpose  of  the  tokens  is  to 
allow  the  user  to  inform  the  system  that  the  theorem  should  be  used  in 
the  ways  indicated. 

We  have  added  the  new  token  METAO,  indicating  that  the  lemma 
establishes  that  a  certain  function  is  a  correct  simplifier.  A  METAO 
lemma  must  have  the  form  of  *META  in  our  Metatheorem.  Once  proved,  the 
compiled  code  for  the  metafunction,  e.g.,  lcancel,  is  stored  so  that  it 
is  executed  on  every  term  at  the  propositional  level  of  every  goal  to 
which  the  simplifier  is  applied  (i.e.,  the  function  is  applied  in  turn 
to  the  atom  of  every  literal  in  each  clause  simplified).  Whenever  the 
term  returned  is  different  from  the  input  term,  that  occurrence  of  the 
input  term  is  replaced  by  the  output. 

The  Metatheorem  justifies  not  only  the  implementation  of  METAO 
lemmas  —  which  let  the  user  add  new  simplifiers  to  be  applied  at  the 
propositional  level  —  but  the  implementation  of  what  we  call  META1 
lemmas  —  which  let  the  user  add  new  simplifiers  to  be  applied  to  every 
term  simplified.  We  envision  ultimately  providing  a  variety  of  META 
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tokens  corresponding  to  different  "hooks"  within  the  system  where  users 
need  the  ability  to  place  new  procedures.  For  each  such  hook  the  form 
required  of  the  *META-lemma  may  be  different  (e.g.,  in  some  places  it  is 
sufficient  to  know  that  the  MEANING  of  the  output  implies  that  of  the 
input) . 

CANCEL  is  now  in  standard  use  as  a  METAO-type  proof  procedure  in 
our  system.  The  actual  definition  of  CANCEL  in  use  differs  slightly 
from  the  one  presented  in  Section  II.  The  real  definition  uses  (LIST 
"QUOTE"  0)  and  (LIST  "QUOTE"  (FALSE))  instead  of  (LIST  "ZERO")  and  (LIST 
"FALSE").  In  addition,  its  propositional  structure  is  slightly 
different  so  that  it  is  more  efficients  LISTP  and  EQUAL  tests  are  used 
in  place  of  the  functions  EQUALITY?  and  PLUS. TREE?,  and  the  outermost  IF 
first  tests  whether  the  argument  is  an  equality  and  exits  immediately 
when  it  is  not,  while  the  definition  presented  here  tests  for  equality 
three  times.  Both  versions  of  CANCEL  have  been  proved  correct  and  the 
proofs  are  virtually  identical.  The  use  of  CANCEL  as  a  METAO-type  proof 
procedure  slows  down  our  system  by  roughly  one  half  of  one  percent  on  a 
sample  of  several  hundred  theorems,  most  of  which  do  not  involve 
arithmetic. 

To  complete  this  description  of  our  work  on  metafunctions,  we  give 
below  our  theorem-prover's  output  on  a  simple  theorem,  concocted  to 
illustrate  CANCEL  at  work.  The  proof  is  produced  immediately  after 
CANCEL  has  been  proved  correct  and  the  numerically  valued  functions 
TIMES  and  EXPT  have  been  introduced.  The  proof  involves  only  equality 
reasoning  and  cancellation. 

Theorem. 

(IMPLIES  (AND  (NUMBERP  A) 

(NUMBERP  X) 

(NUMBERP  B) 

(EQUAL  (PLUS  (PLUS  A  B)  D) 

(PLUS  B  (PLUS  (TIMES  I  J)  D))) 

(EQUAL  (PLUS  A  X) 

(PLUS  B  (TIMES  I  J)))) 

(EQUAL  (EXPT  A  X)  (EXPT  A  B))) 

This  simplifies,  applying  the  lemma  CORRECTNESS. OF. CANCEL  and 
expanding  the  definition  FIX,  to  the  new  conjecture: 
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(IMPLIES  (AND  (NUMBERP  A) 

(NUMBERP  X) 

(NUMBERP  B) 

(EQUAL  A  (TIMES  I  J)) 

(EQUAL  (PLUS  A  X) 

(PLUS  B  (TIMES  I  J)))) 

(EQUAL  (EXPT  A  X)  (EXPT  A  B))), 

which  again  simplifies,  rewriting  with  CORRECTNESS. OF. CANCEL 

and  unfolding  FIX,  to  the  conjecture: 

(IMPLIES  (AND  (NUMBERP  X) 

(NUMBERP  B) 

(EQUAL  X  B)) 

(EQUAL  (EXPT  (TIMES  I  J)  X) 

(EXPT  (TIMES  I  J)  B))), 

which  again  simplifies,  clearly,  to: 

(TRUE). 

Q.  E « D . 


Ill 
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